Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561502
MD5:	6af576da82f8f0fb7902fa3ce4235e02
SHA1:	50b419ba7eae5134087ff07933e0863431ec2f1f
SHA256:	ed2da9b6055690c5086b520108d1a1b4b736367d558850ae484fe8a1d84bd580
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6728 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6AF576DA82F8F0FB7902FA3CE4235E02)

taskkill.exe (PID: 6768 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7064 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7160 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5004 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5440 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 3808 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1780 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6044 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4820 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c7b777d-2a26-4fbe-9330-9edfca496016} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 1bffe16ef10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7488 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4396 -parentBuildID 20230927232528 -prefsHandle 4388 -prefMapHandle 4384 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57a82ab3-3010-46f8-acb6-a65d54e98571} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 1bf8e7d0e10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8096 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5300 -prefMapHandle 5296 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20381055-6d38-4858-a02c-8e8f38f6f4a2} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 1bf8dcc1d10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6728	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00B9EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B9EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B9ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B9ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00B9EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B8AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00B8AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00BB9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1660149935.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_177a3a09-4
Source: file.exe, 00000000.00000000.1660149935.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_08e523a7-9
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6c75b25b-7
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_91198766-7

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000027EF10F4B77 NtQuerySystemInformation,		16_2_0000027EF10F4B77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000027EF10FB0F2 NtQuerySystemInformation,		16_2_0000027EF10FB0F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B8D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00B8D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B81201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B81201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B8E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B8E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B28060	0_2_00B28060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B92046	0_2_00B92046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B88298	0_2_00B88298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5E4FF	0_2_00B5E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B5676B	0_2_00B5676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB4873	0_2_00BB4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4CAA0	0_2_00B4CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2CAF0	0_2_00B2CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3CC39	0_2_00B3CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B56DD9	0_2_00B56DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B291C0	0_2_00B291C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3B119	0_2_00B3B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B41394	0_2_00B41394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B41706	0_2_00B41706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4781B	0_2_00B4781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B419B0	0_2_00B419B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B27920	0_2_00B27920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3997D	0_2_00B3997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B47A4A	0_2_00B47A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B47CA7	0_2_00B47CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B41C77	0_2_00B41C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B59EEE	0_2_00B59EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BABE44	0_2_00BABE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B41F32	0_2_00B41F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000027EF10F4B77	16_2_0000027EF10F4B77
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000027EF10FB0F2	16_2_0000027EF10FB0F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000027EF10FB81C	16_2_0000027EF10FB81C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000027EF10FB132	16_2_0000027EF10FB132

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B40A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B3F9F2 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/41@70/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B937B5 GetLastError,FormatMessageW,

0_2_00B937B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B810BF AdjustTokenPrivileges,CloseHandle,		0_2_00B810BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00B816C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B951CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B8D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B8D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B9648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00B9648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B242A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1877115360.000001BF99F50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894977367.000001BF99F50000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c7b777d-2a26-4fbe-9330-9edfca496016} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 1bffe16ef10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4396 -parentBuildID 20230927232528 -prefsHandle 4388 -prefMapHandle 4384 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57a82ab3-3010-46f8-acb6-a65d54e98571} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 1bf8e7d0e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5300 -prefMapHandle 5296 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20381055-6d38-4858-a02c-8e8f38f6f4a2} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 1bf8dcc1d10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c7b777d-2a26-4fbe-9330-9edfca496016} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 1bffe16ef10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4396 -parentBuildID 20230927232528 -prefsHandle 4388 -prefMapHandle 4384 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57a82ab3-3010-46f8-acb6-a65d54e98571} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 1bf8e7d0e10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5300 -prefMapHandle 5296 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20381055-6d38-4858-a02c-8e8f38f6f4a2} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 1bf8dcc1d10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1788216466.000001BF9A40F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1903428822.000001BF8DB93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1899955923.000001BF8DB8D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898498029.000001BF8DB8C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1903428822.000001BF8DB93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1899955923.000001BF8DB8D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898498029.000001BF8DB8C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1900624542.000001BF8DB32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1788216466.000001BF9A40F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1900624542.000001BF8DB32000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B242DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B40A76 push ecx; ret

0_2_00B40A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00B3F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00BB1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97027

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000027EF10F4B77 rdtsc

16_2_0000027EF10F4B77

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B8DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B968EE FindFirstFileW,FindClose,	0_2_00B968EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00B9698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B8D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B8D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B99642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B99642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B9979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B99B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00B99B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B95C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00B95C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B242DE

Source: firefox.exe, 00000010.00000002.3527474842.0000027EF1890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: firefox.exe, 0000000F.00000002.3521871370.0000025D85D6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: firefox.exe, 0000000F.00000002.3521871370.0000025D85D6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW1
Source: firefox.exe, 00000010.00000002.3527474842.0000027EF1890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWr&
Source: firefox.exe, 00000011.00000002.3522297357.000002860E9DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0D
Source: firefox.exe, 00000010.00000002.3521868723.0000027EF0F5A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3526542690.000002860ED30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3527061718.0000025D86118000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3527808137.0000025D86210000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3527474842.0000027EF1890000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_0000027EF10F4B77 rdtsc

16_2_0000027EF10F4B77

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B9EAA2 BlockInput,

0_2_00B9EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B52622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B242DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B44CE8 mov eax, dword ptr fs:[00000030h]

0_2_00B44CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B80B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00B80B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B52622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B4083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B409D5 SetUnhandledExceptionFilter,	0_2_00B409D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B40C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B40C21

Source: C:\Users\user\Desktop\file.exe

0_2_00B81201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B62BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B62BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B8B226 SendInput,keybd_event,

0_2_00B8B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BA22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00BA22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00B80B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B81663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B81663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B40698 cpuid

0_2_00B40698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B98195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00B98195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B7D27A GetUserNameW,

0_2_00B7D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B5BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00B5BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B242DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6728, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6728, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00BA1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00BA1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	32%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.17.46	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.193.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1886947609.000001BF91AB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895637149.000001BF98177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912537062.000001BF98177000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3524098043.0000027EF13C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3523104595.000002860ECC3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1877115360.000001BF99F7E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1890219227.000001BF90A5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907218937.000001BF996D0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3524053546.0000025D860C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3524098043.0000027EF13E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3526781864.000002860EF03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1779865400.000001BF966A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754472678.000001BF966A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1860344704.000001BF966A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845727055.000001BF9669E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752963457.000001BF966B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1753709150.000001BF966B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752279412.000001BF966B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849793468.000001BF9669E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.3523104595.000002860EC8E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1890341357.000001BF906DD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1879908234.000001BF9650F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1884394486.000001BF97A2E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1914928205.000001BF8F94C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1709854080.000001BF8DE5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1710883935.000001BF8DE77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1708713547.000001BF8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1709027772.000001BF8DE1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1709217872.000001BF8DE3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1896364020.000001BF96717000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913603722.000001BF96717000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1908185969.000001BF96788000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896364020.000001BF96788000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1709854080.000001BF8DE5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1710883935.000001BF8DE77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841985217.000001BF8FABA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1708713547.000001BF8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1709027772.000001BF8DE1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1709217872.000001BF8DE3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000D.00000003.1887064028.000001BF91679000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922454433.000001BF91679000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1709854080.000001BF8DE5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1710883935.000001BF8DE77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1708713547.000001BF8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1709027772.000001BF8DE1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1709217872.000001BF8DE3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000D.00000003.1922454433.000001BF91679000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922454433.000001BF9169A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3524053546.0000025D860C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3524098043.0000027EF13E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3526781864.000002860EF03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1912204055.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1907659973.000001BF96859000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1908185969.000001BF96788000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896364020.000001BF96788000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3524053546.0000025D860C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3524098043.0000027EF13E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3526781864.000002860EF03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1907659973.000001BF9687C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3524098043.0000027EF130A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3523104595.000002860EC0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1782443145.000001BF8EA4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1783096124.000001BF8EA52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1780709760.000001BF8EA3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1890341357.000001BF906DD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1895399959.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920703009.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906765202.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912204055.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1907659973.000001BF9687C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3524098043.0000027EF13C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3523104595.000002860ECC3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1896136748.000001BF9815D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1780709760.000001BF8EA19000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1840098493.000001BF8F63B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1840989400.000001BF8F65C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1912204055.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://amazon.com	firefox.exe, 0000000D.00000003.1900075448.000024B69CA03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1896364020.000001BF96788000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1912204055.000001BF9995E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3524098043.0000027EF1312000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3523104595.000002860EC13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1890341357.000001BF906DD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/Z	firefox.exe, 0000000D.00000003.1900075448.000024B69CA03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1895399959.000001BF99935000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000010.00000002.3524098043.0000027EF1386000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1896364020.000001BF96717000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913603722.000001BF96717000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1887064028.000001BF91642000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910902437.000001BF8FAC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1722789436.000001BF8E3F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758134307.000001BF965E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850207451.000001BF96671000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879312293.000001BF9653B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1864504686.000001BF97BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888903773.000001BF90CAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886694051.000001BF96814000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839485802.000001BF8E3FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1840855487.000001BF8F872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921926204.000001BF96723000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841086709.000001BF8F8C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1722789436.000001BF8E3DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1790276257.000001BF9A86C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843585347.000001BF91BC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1839485802.000001BF8E3F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913603722.000001BF96723000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879115456.000001BF965E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888213296.000001BF91615000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883973663.000001BF9A3B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1887064028.000001BF91679000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922454433.000001BF91679000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1887064028.000001BF91679000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1887991333.000001BF91622000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922454433.000001BF91679000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	high
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1758134307.000001BF965D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879312293.000001BF965D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922098487.000001BF965D6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1879908234.000001BF9650F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1879908234.000001BF9650F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1779865400.000001BF966A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754472678.000001BF966A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1860344704.000001BF966A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845727055.000001BF9669E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752963457.000001BF966B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1753709150.000001BF966B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1752279412.000001BF966B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849793468.000001BF9669E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000D.00000003.1896364020.000001BF96782000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1884394486.000001BF97A86000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1908185969.000001BF96788000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896364020.000001BF96788000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1717076102.000001BF8D632000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1716924204.000001BF8D61A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1716241940.000001BF8D633000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1914982264.000001BF8F913000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1887064028.000001BF9169A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922454433.000001BF9169A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1782443145.000001BF8EA4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1781174923.000001BF8EA4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1783096124.000001BF8EA52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1780709760.000001BF8EA3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1717076102.000001BF8D632000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1716924204.000001BF8D61A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1716241940.000001BF8D633000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1895399959.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920703009.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906765202.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912204055.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3524053546.0000025D860C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3524098043.0000027EF13E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3526781864.000002860EF03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1907659973.000001BF9687C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1890341357.000001BF906DD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1894442387.000001BF99FB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906393417.000001BF99CFC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1895399959.000001BF99935000.00000004.00000800.00020000.00000000.sdmp	false	high
https://truecolors.firefox.com/	firefox.exe, 0000000D.00000003.1895399959.000001BF99935000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000D.00000003.1709854080.000001BF8DE5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1710883935.000001BF8DE77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841985217.000001BF8FABA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1708713547.000001BF8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1709027772.000001BF8DE1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1709217872.000001BF8DE3C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1896364020.000001BF96717000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913603722.000001BF96717000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3523355314.0000025D85E40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3522171164.0000027EF1060000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3522670902.000002860EA10000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561502
Start date and time:	2024-11-23 15:45:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/41@70/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 38 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.164.125.63, 52.12.64.98, 35.80.238.59, 172.217.17.42, 172.217.17.46, 88.221.134.155, 88.221.134.209
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 6044 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
twitter.com	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.116.198.130
	SystemCoreHelper.dll	Get hash	malicious	LummaC Stealer	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	decode_c4dbf387b077f2573e7bccb997d0921d62fdc422a3e72e523efa6385a324f331.exe	Get hash	malicious	PureLog Stealer	Browse	57.128.155.22

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1b91648b-0771-4a99-b9b2-056bc8087362.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.183859048921776
Encrypted:	false
SSDEEP:	192:NjMXnTkcbhbVbTbfbRbObtbyEl7nMrCJA6WnSrDtTUd/SkDr+:NYYcNhnzFSJsrxBnSrDhUd/A
MD5:	D959DBD1D4DE5FD48C571625039A99F4
SHA1:	A9A3AF2158ACC697958FCC77FFA90A557ACCAF12
SHA-256:	F152673BE9B62C84A74039DAD903337667C4D10054A4362C5E1F8AB3244B37EF
SHA-512:	160EFB11C8FF651C5493EF777BB9780F743B0A031135191A726087C1C9F8AC8B1C75A83F4F3F207793CCB0CF66B64B523332A33EC66CB8B549F0BF7C2C090257
Malicious:	false
Preview:	{"type":"uninstall","id":"1b91648b-0771-4a99-b9b2-056bc8087362","creationDate":"2024-11-23T16:07:43.862Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1b91648b-0771-4a99-b9b2-056bc8087362.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.183859048921776
Encrypted:	false
SSDEEP:	192:NjMXnTkcbhbVbTbfbRbObtbyEl7nMrCJA6WnSrDtTUd/SkDr+:NYYcNhnzFSJsrxBnSrDhUd/A
MD5:	D959DBD1D4DE5FD48C571625039A99F4
SHA1:	A9A3AF2158ACC697958FCC77FFA90A557ACCAF12
SHA-256:	F152673BE9B62C84A74039DAD903337667C4D10054A4362C5E1F8AB3244B37EF
SHA-512:	160EFB11C8FF651C5493EF777BB9780F743B0A031135191A726087C1C9F8AC8B1C75A83F4F3F207793CCB0CF66B64B523332A33EC66CB8B549F0BF7C2C090257
Malicious:	false
Preview:	{"type":"uninstall","id":"1b91648b-0771-4a99-b9b2-056bc8087362","creationDate":"2024-11-23T16:07:43.862Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.31362603946575
Encrypted:	false
SSDEEP:	24:ELdfeT/AeTIUx2dWoM158LN8zm5LdfeT/AeswM+bpoqdWoM158LFX1RgmbLdfeTA:UdOI3UgdwNzedOIx6Bdwr0dOIxadw51
MD5:	45A97519D2E9AAD8C8E6FE2D81230C99
SHA1:	AB81FFD286055182BDA8DDEFAC1247549F6CBE1D
SHA-256:	A5B2934173C8C86FA942639468B97B364EFDB799C8278E10D8F80D06438692FB
SHA-512:	B346FBECCCDF7B17BEA2FF0DAA966CB6C15809AA31B55642EEAE19ADA7C843A86C652CA92E79B02EC65EA93AD2E39906DBBDC65854A144F1840D20A3D8280531
Malicious:	false
Preview:	...................................FL..................F.@.. ...p..........p.=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IwY.u....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwY.u............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwY.u..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........h..v.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.31362603946575
Encrypted:	false
SSDEEP:	24:ELdfeT/AeTIUx2dWoM158LN8zm5LdfeT/AeswM+bpoqdWoM158LFX1RgmbLdfeTA:UdOI3UgdwNzedOIx6Bdwr0dOIxadw51
MD5:	45A97519D2E9AAD8C8E6FE2D81230C99
SHA1:	AB81FFD286055182BDA8DDEFAC1247549F6CBE1D
SHA-256:	A5B2934173C8C86FA942639468B97B364EFDB799C8278E10D8F80D06438692FB
SHA-512:	B346FBECCCDF7B17BEA2FF0DAA966CB6C15809AA31B55642EEAE19ADA7C843A86C652CA92E79B02EC65EA93AD2E39906DBBDC65854A144F1840D20A3D8280531
Malicious:	false
Preview:	...................................FL..................F.@.. ...p..........p.=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IwY.u....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwY.u............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwY.u..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........h..v.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7NIEWICM7F2IBVLF3C51.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.31362603946575
Encrypted:	false
SSDEEP:	24:ELdfeT/AeTIUx2dWoM158LN8zm5LdfeT/AeswM+bpoqdWoM158LFX1RgmbLdfeTA:UdOI3UgdwNzedOIx6Bdwr0dOIxadw51
MD5:	45A97519D2E9AAD8C8E6FE2D81230C99
SHA1:	AB81FFD286055182BDA8DDEFAC1247549F6CBE1D
SHA-256:	A5B2934173C8C86FA942639468B97B364EFDB799C8278E10D8F80D06438692FB
SHA-512:	B346FBECCCDF7B17BEA2FF0DAA966CB6C15809AA31B55642EEAE19ADA7C843A86C652CA92E79B02EC65EA93AD2E39906DBBDC65854A144F1840D20A3D8280531
Malicious:	false
Preview:	...................................FL..................F.@.. ...p..........p.=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IwY.u....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwY.u............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwY.u..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........h..v.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FW7TA428R65O9ZNLNOZI.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.31362603946575
Encrypted:	false
SSDEEP:	24:ELdfeT/AeTIUx2dWoM158LN8zm5LdfeT/AeswM+bpoqdWoM158LFX1RgmbLdfeTA:UdOI3UgdwNzedOIx6Bdwr0dOIxadw51
MD5:	45A97519D2E9AAD8C8E6FE2D81230C99
SHA1:	AB81FFD286055182BDA8DDEFAC1247549F6CBE1D
SHA-256:	A5B2934173C8C86FA942639468B97B364EFDB799C8278E10D8F80D06438692FB
SHA-512:	B346FBECCCDF7B17BEA2FF0DAA966CB6C15809AA31B55642EEAE19ADA7C843A86C652CA92E79B02EC65EA93AD2E39906DBBDC65854A144F1840D20A3D8280531
Malicious:	false
Preview:	...................................FL..................F.@.. ...p..........p.=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IwY.u....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwY.u............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwY.u..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........h..v.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.926444120491026
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLnJnY8P:8S+OBIUjOdwiOdYVjjwLJY8P
MD5:	96C6803511F70F3A0F4B7537F0099B80
SHA1:	B66F2FBDB80A20B3CA241B430254ABEADE99B521
SHA-256:	699033ABB3EBCD7D1A54514D55B6EA0F616F9B11B12D335FC0B3963985130B65
SHA-512:	DC7BAEC1DA0B9D44522100D633D36ED64B69888583F7F3B70AAED4CA39E235938FED71C942AF5BC760A52E7889E5880C335A985B0EC345B0FDB812AB783164F7
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.926444120491026
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLnJnY8P:8S+OBIUjOdwiOdYVjjwLJY8P
MD5:	96C6803511F70F3A0F4B7537F0099B80
SHA1:	B66F2FBDB80A20B3CA241B430254ABEADE99B521
SHA-256:	699033ABB3EBCD7D1A54514D55B6EA0F616F9B11B12D335FC0B3963985130B65
SHA-512:	DC7BAEC1DA0B9D44522100D633D36ED64B69888583F7F3B70AAED4CA39E235938FED71C942AF5BC760A52E7889E5880C335A985B0EC345B0FDB812AB783164F7
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07330415795836097
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkilUko:DLhesh7Owd4+ji
MD5:	99B48513B910EAF0B4905340DDF1AB4A
SHA1:	753D5487B901C8BCD9E5A5A2AE8D0FAA262F1D88
SHA-256:	20CB61FD212CED36D609E241E645BA86F970A34280697E8CA063D43A4A0025D1
SHA-512:	DC6C2960CBF638B52678CD90BD20145BDFC3834724F2F4BA1D430223D0A9D5CEFCF5B7594EBF2727CB8310BC7C21D81ABA1C03EBB51928A78C568F172296EAB2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039621234087707576
Encrypted:	false
SSDEEP:	3:GHlhVmnlCvPxx5ZOHm8dlhVmnlCvPxx5ZOHmZ/ol8a9//Ylll4llqlyllel4lt:G7VmnlyxLEVmnlyxLwL9XIwlio
MD5:	14CDFCE32E7866686B5663660568C427
SHA1:	E7D48D5F94E939885475122B54C17F1DEECAF2C1
SHA-256:	5837462973691EFD0A8F1FC45EE4478E56837C222BBB306021DF7D0AA453CFA0
SHA-512:	F01EC8C122D252600DDB8CDE92C3F89395D45206F41B6FDBFE61572DB0A742E0BB5C82860386A827A0D6F96C4ACBD7C983CB66DB1C47619184BAD5C75551E215
Malicious:	false
Preview:	..-......................B?v@}'J...%....kb1.T...-......................B?v@}'J...%....kb1.T.........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11794662028405457
Encrypted:	false
SSDEEP:	24:KETjnfkkLxsZ+JjxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsaxfwlclVZ2i7+:VjnMQQeJtUnWdU+RVxoqTZk
MD5:	8FDA5A3B4E861A6E16ADA0C4933E0542
SHA1:	E8106604A642DD8E3312E9E5C1BC905363633F5E
SHA-256:	4EA32FB6D4E7E06953520E94439CEEFB7B5DB73049867025F9B21DF0FF3C05C3
SHA-512:	F037905FBD5F1DDA62AADBC5F3C9C9EAC7564198B57DCDB66370027E1C0F38057C2503A0DB912E522A7D27BE9FC7EF4ABD406D0C4136E659C6316AB79B64F92F
Malicious:	false
Preview:	7....-.............%...t....=............%.....\....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494578637315024
Encrypted:	false
SSDEEP:	192:xnaRtLYbBp6xhj4qyaaXc6KG9NJr5RfGNBw8dkSl:8e/qsFXhcwP0
MD5:	7EC7251F18D6C1815A3CF765EE87AA4C
SHA1:	907E2E6F55ACE8D83336A47BCB7848346BCF6792
SHA-256:	1F914411C74D240B0F22F74AEF015479154851EE8A13587448A9456231F26F89
SHA-512:	6248EE306CCBF57D2E05E3C31D4F333A7760197C30CF933DE5AB2FB5788A6DC5F463A8EDF84C60E882A5F85C1E0098E8FC48B4905152BF943ABF6B481C6E24EC
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732378034);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732378034);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732378034);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173237

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494578637315024
Encrypted:	false
SSDEEP:	192:xnaRtLYbBp6xhj4qyaaXc6KG9NJr5RfGNBw8dkSl:8e/qsFXhcwP0
MD5:	7EC7251F18D6C1815A3CF765EE87AA4C
SHA1:	907E2E6F55ACE8D83336A47BCB7848346BCF6792
SHA-256:	1F914411C74D240B0F22F74AEF015479154851EE8A13587448A9456231F26F89
SHA-512:	6248EE306CCBF57D2E05E3C31D4F333A7760197C30CF933DE5AB2FB5788A6DC5F463A8EDF84C60E882A5F85C1E0098E8FC48B4905152BF943ABF6B481C6E24EC
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732378034);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732378034);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732378034);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173237

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1603
Entropy (8bit):	6.356787335342927
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSamUYLXnIgG3R/pnxQwRls6ZspHqGH3j6xiMgXtdL/5QH2oXpTurD/7:cpOxPMu3rnRTZYNGxHgX5kpTgw6w4
MD5:	172BFE43A2D19EBCDD79301303D9437B
SHA1:	466202B27FB6E25CB10A800CAB2ED2946B3C9970
SHA-256:	A054A3ED48C101689450C429E6AA063B812E61AEE1AD639EF71B2238DE7CA7EE
SHA-512:	925C8CE4923CBF6F9CE803754238C3D69FC1619BB851E160935EF673804867F739F918E0ADA0220B7EF948DCA4F10A8518B76DDE2BAEF3FA56C05C56101C39DF
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{9e03e02b-804e-44a0-8311-bd3c68e7e535}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732378040514,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...5,"startTim..P03747...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...11250,"originA..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1603
Entropy (8bit):	6.356787335342927
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSamUYLXnIgG3R/pnxQwRls6ZspHqGH3j6xiMgXtdL/5QH2oXpTurD/7:cpOxPMu3rnRTZYNGxHgX5kpTgw6w4
MD5:	172BFE43A2D19EBCDD79301303D9437B
SHA1:	466202B27FB6E25CB10A800CAB2ED2946B3C9970
SHA-256:	A054A3ED48C101689450C429E6AA063B812E61AEE1AD639EF71B2238DE7CA7EE
SHA-512:	925C8CE4923CBF6F9CE803754238C3D69FC1619BB851E160935EF673804867F739F918E0ADA0220B7EF948DCA4F10A8518B76DDE2BAEF3FA56C05C56101C39DF
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{9e03e02b-804e-44a0-8311-bd3c68e7e535}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732378040514,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...5,"startTim..P03747...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...11250,"originA..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1603
Entropy (8bit):	6.356787335342927
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSamUYLXnIgG3R/pnxQwRls6ZspHqGH3j6xiMgXtdL/5QH2oXpTurD/7:cpOxPMu3rnRTZYNGxHgX5kpTgw6w4
MD5:	172BFE43A2D19EBCDD79301303D9437B
SHA1:	466202B27FB6E25CB10A800CAB2ED2946B3C9970
SHA-256:	A054A3ED48C101689450C429E6AA063B812E61AEE1AD639EF71B2238DE7CA7EE
SHA-512:	925C8CE4923CBF6F9CE803754238C3D69FC1619BB851E160935EF673804867F739F918E0ADA0220B7EF948DCA4F10A8518B76DDE2BAEF3FA56C05C56101C39DF
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{9e03e02b-804e-44a0-8311-bd3c68e7e535}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732378040514,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate...5,"startTim..P03747...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...11250,"originA..

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034166843537588
Encrypted:	false
SSDEEP:	48:YrSAYS56UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycS5yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	DB6ED6E604CC4D40F662A8EB491038FE
SHA1:	50AE6939E4D1DBECC1B0E8DDDC01151A48B55056
SHA-256:	0EBB5547798EDF1BB1A0E42194ABAA0FC5A95A0DB810EE3E06AD4EBBD322221F
SHA-512:	3F4CA8979844200D17CA5BDA386168DA06E1E3B857F22542BC2517B160C9F862520A70F4ABBD01B74FFDF6F5E3A073DCC088E8831E16DABA23AABE10E1CAEBA5
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T16:07:01.663Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034166843537588
Encrypted:	false
SSDEEP:	48:YrSAYS56UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycS5yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	DB6ED6E604CC4D40F662A8EB491038FE
SHA1:	50AE6939E4D1DBECC1B0E8DDDC01151A48B55056
SHA-256:	0EBB5547798EDF1BB1A0E42194ABAA0FC5A95A0DB810EE3E06AD4EBBD322221F
SHA-512:	3F4CA8979844200D17CA5BDA386168DA06E1E3B857F22542BC2517B160C9F862520A70F4ABBD01B74FFDF6F5E3A073DCC088E8831E16DABA23AABE10E1CAEBA5
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T16:07:01.663Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5912096438867565
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'112 bytes
MD5:	6af576da82f8f0fb7902fa3ce4235e02
SHA1:	50b419ba7eae5134087ff07933e0863431ec2f1f
SHA256:	ed2da9b6055690c5086b520108d1a1b4b736367d558850ae484fe8a1d84bd580
SHA512:	09da84d1558f4c11f16a4c758a66411ae396d8c2c5dd6286289416556390a3711ebdbb5e5c264f192d67ab1f818df034a46ace4a6bb4d724b455c4ee9b2cf9f3
SSDEEP:	12288:FqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaYTg:FqDEvCTbMWu7rQYlBQcBiT6rprG8agg
TLSH:	7D159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6741E547 [Sat Nov 23 14:23:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F77B4C28103h
jmp 00007F77B4C27A0Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F77B4C27BEDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F77B4C27BBAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F77B4C2A7ADh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F77B4C2A7F8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F77B4C2A7E1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa644	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa644	0xa800	1690a6ca534dd39ee019cbf891de82c9	False	0.36046781994047616	data	5.610513719438033	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x190a	data			1.0017160686427458
RT_GROUP_ICON	0xde0c4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde13c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde150	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde164	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde178	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde254	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 15:46:06.118576050 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:06.118649960 CET	443	49736	35.190.72.216	192.168.2.4
Nov 23, 2024 15:46:06.118892908 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:06.123768091 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:06.123801947 CET	443	49736	35.190.72.216	192.168.2.4
Nov 23, 2024 15:46:07.408262968 CET	443	49736	35.190.72.216	192.168.2.4
Nov 23, 2024 15:46:07.411618948 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:07.495414019 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:07.495460987 CET	443	49736	35.190.72.216	192.168.2.4
Nov 23, 2024 15:46:07.495600939 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:07.496109962 CET	443	49736	35.190.72.216	192.168.2.4
Nov 23, 2024 15:46:07.499620914 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:08.804428101 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:08.804503918 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:08.804739952 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:08.806226015 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:08.806260109 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:08.876974106 CET	49740	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:08.877012014 CET	443	49740	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:08.881568909 CET	49740	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:08.890309095 CET	49740	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:08.890326023 CET	443	49740	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:09.092901945 CET	49741	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:09.213907003 CET	80	49741	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:09.214252949 CET	49741	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:09.214385033 CET	49741	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:09.334496975 CET	80	49741	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:10.072295904 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:10.072323084 CET	443	49742	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:10.073122025 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:10.073129892 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:10.074431896 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:10.074431896 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:10.074610949 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:10.074623108 CET	443	49742	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:10.076081038 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:10.076090097 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:10.395152092 CET	80	49741	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:10.449896097 CET	49741	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:10.456973076 CET	49744	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:10.457022905 CET	443	49744	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:10.457103014 CET	49744	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:10.458431005 CET	49744	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:10.458468914 CET	443	49744	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:10.490582943 CET	49745	443	192.168.2.4	34.160.144.191
Nov 23, 2024 15:46:10.490679026 CET	443	49745	34.160.144.191	192.168.2.4
Nov 23, 2024 15:46:10.490783930 CET	49745	443	192.168.2.4	34.160.144.191
Nov 23, 2024 15:46:10.490881920 CET	49745	443	192.168.2.4	34.160.144.191
Nov 23, 2024 15:46:10.490912914 CET	443	49745	34.160.144.191	192.168.2.4
Nov 23, 2024 15:46:10.514342070 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:10.514451981 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:10.515348911 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:10.515420914 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:10.519748926 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:10.519777060 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:10.519836903 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:10.520071030 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:10.520134926 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:10.675419092 CET	443	49740	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:10.675498009 CET	49740	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:10.676137924 CET	443	49740	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:10.676352024 CET	49740	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:10.679379940 CET	49740	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:10.679398060 CET	443	49740	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:10.679478884 CET	49740	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:10.679555893 CET	443	49740	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:10.679801941 CET	49746	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:10.679866076 CET	443	49746	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:10.679877043 CET	49740	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:10.680108070 CET	49746	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:10.681298018 CET	49746	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:10.681329012 CET	443	49746	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:10.720344067 CET	49747	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:10.845340014 CET	80	49747	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:10.851170063 CET	49747	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:10.857130051 CET	49747	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:10.976830006 CET	80	49747	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:11.334937096 CET	443	49742	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:11.336880922 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:11.342093945 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:11.346376896 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:11.346384048 CET	443	49742	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:11.346597910 CET	443	49742	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:11.351640940 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:11.351722002 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:11.351744890 CET	443	49742	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:11.351866007 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:11.351876974 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:11.351876974 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:11.355035067 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:11.355038881 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:11.355129004 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:11.355155945 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:11.355457067 CET	49749	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:11.355511904 CET	443	49749	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:11.355521917 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:11.355694056 CET	49749	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:11.356995106 CET	49749	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:11.357014894 CET	443	49749	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:11.439996958 CET	49741	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:11.546086073 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:11.560183048 CET	80	49741	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:11.560262918 CET	49741	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:11.665810108 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:11.668998003 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:11.669262886 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:11.689876080 CET	443	49744	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:11.692981958 CET	49744	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:11.696890116 CET	49744	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:11.696928978 CET	443	49744	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:11.696980000 CET	49744	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:11.697094917 CET	443	49744	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:11.697210073 CET	49744	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:11.760308981 CET	443	49745	34.160.144.191	192.168.2.4
Nov 23, 2024 15:46:11.760363102 CET	49745	443	192.168.2.4	34.160.144.191
Nov 23, 2024 15:46:11.763020039 CET	49745	443	192.168.2.4	34.160.144.191
Nov 23, 2024 15:46:11.763046980 CET	443	49745	34.160.144.191	192.168.2.4
Nov 23, 2024 15:46:11.763283968 CET	443	49745	34.160.144.191	192.168.2.4
Nov 23, 2024 15:46:11.765614986 CET	49745	443	192.168.2.4	34.160.144.191
Nov 23, 2024 15:46:11.765678883 CET	49745	443	192.168.2.4	34.160.144.191
Nov 23, 2024 15:46:11.765753031 CET	443	49745	34.160.144.191	192.168.2.4
Nov 23, 2024 15:46:11.765818119 CET	49745	443	192.168.2.4	34.160.144.191
Nov 23, 2024 15:46:11.789242983 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:12.003530025 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:12.003582954 CET	443	49752	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:12.009757042 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:12.011176109 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:12.011228085 CET	443	49752	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:12.036986113 CET	80	49747	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:12.038419962 CET	49747	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:12.135678053 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:12.135750055 CET	443	49753	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:12.135905981 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:12.137119055 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:12.137152910 CET	443	49753	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:12.140497923 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:12.140518904 CET	443	49754	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:12.140737057 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:12.141916990 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:12.141941071 CET	443	49754	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:12.159177065 CET	80	49747	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:12.159249067 CET	49747	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:12.166501045 CET	49755	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:12.166529894 CET	443	49755	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:12.166701078 CET	49755	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:12.166804075 CET	49755	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:12.166821003 CET	443	49755	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:12.183893919 CET	49756	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:12.183921099 CET	443	49756	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:12.184024096 CET	49756	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:12.185240030 CET	49756	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:12.185247898 CET	443	49756	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:12.482312918 CET	443	49746	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:12.482409000 CET	49746	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:12.484824896 CET	443	49746	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:12.486867905 CET	49746	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:12.564026117 CET	49746	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:12.564089060 CET	443	49746	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:12.564142942 CET	49746	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:12.564784050 CET	443	49746	142.250.181.78	192.168.2.4
Nov 23, 2024 15:46:12.568295956 CET	49746	443	192.168.2.4	142.250.181.78
Nov 23, 2024 15:46:12.790726900 CET	443	49749	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:12.790841103 CET	49749	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:12.795417070 CET	49749	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:12.795449972 CET	443	49749	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:12.795490980 CET	49749	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:12.795639992 CET	443	49749	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:12.795700073 CET	49749	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:12.941266060 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:12.988246918 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:13.322573900 CET	443	49752	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:13.322655916 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:13.326817989 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:13.326834917 CET	443	49752	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:13.326951027 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:13.326966047 CET	443	49752	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:13.327280998 CET	49757	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:13.327334881 CET	443	49757	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:13.327356100 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:13.327390909 CET	49757	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:13.328584909 CET	49757	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:13.328603029 CET	443	49757	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:13.371057034 CET	443	49753	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:13.371162891 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:13.375514030 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:13.375538111 CET	443	49753	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:13.375581026 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:13.375700951 CET	443	49753	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:13.375760078 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:13.441060066 CET	443	49755	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:13.441129923 CET	49755	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:13.443828106 CET	49755	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:13.443842888 CET	443	49755	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:13.444082975 CET	443	49755	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:13.446783066 CET	49755	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:13.446844101 CET	49755	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:13.446913958 CET	443	49755	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:13.446975946 CET	49755	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:13.465660095 CET	443	49754	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:13.465749979 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:13.470376015 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:13.470392942 CET	443	49754	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:13.470453024 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:13.470539093 CET	443	49754	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:13.470602036 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:13.489518881 CET	443	49756	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:13.489581108 CET	49756	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:13.494048119 CET	49756	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:13.494055033 CET	443	49756	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:13.494137049 CET	49756	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:13.494173050 CET	443	49756	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:13.495906115 CET	49758	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:13.495923042 CET	443	49758	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:13.495953083 CET	49756	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:13.496186018 CET	49758	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:13.499169111 CET	49758	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:13.499174118 CET	443	49758	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:14.647927046 CET	443	49757	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:14.650156021 CET	49757	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:14.657881021 CET	49757	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:14.657900095 CET	443	49757	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:14.658256054 CET	443	49757	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:14.658288956 CET	49757	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:14.658297062 CET	443	49757	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:14.801470041 CET	443	49758	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:14.802278996 CET	49758	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:14.846026897 CET	49758	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:14.846035957 CET	443	49758	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:14.846105099 CET	49758	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:14.846148014 CET	443	49758	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:14.851969957 CET	49758	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:14.863359928 CET	443	49757	34.117.188.166	192.168.2.4
Nov 23, 2024 15:46:14.870477915 CET	49757	443	192.168.2.4	34.117.188.166
Nov 23, 2024 15:46:16.530193090 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:16.531524897 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:16.549782038 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:16.549823999 CET	443	49760	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:16.550517082 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:16.550697088 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:16.550719023 CET	443	49760	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:16.650027990 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:16.651206970 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:16.651216030 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:16.651357889 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:16.675120115 CET	49761	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:16.675153971 CET	443	49761	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:16.675323009 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:16.675350904 CET	49761	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:16.675355911 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:16.675518036 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:16.679459095 CET	49761	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:16.679471970 CET	443	49761	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:16.679651976 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:16.679666996 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:16.771018982 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:16.864655018 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:16.916821957 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:17.812450886 CET	443	49760	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:17.812668085 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:17.816736937 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:17.816744089 CET	443	49760	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:17.817121983 CET	443	49760	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:17.820220947 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:17.820365906 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:17.820410013 CET	443	49760	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:17.820482016 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:17.828669071 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:17.871635914 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:17.937072039 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:17.937170982 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:17.940541029 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:17.940546036 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:17.940819025 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:17.944314957 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:17.944392920 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:17.944451094 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:17.944559097 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:17.985033989 CET	443	49761	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:17.985122919 CET	49761	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:17.989433050 CET	49761	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:17.989439964 CET	443	49761	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:17.989486933 CET	49761	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:17.989558935 CET	443	49761	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:17.989692926 CET	49761	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:20.943772078 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:20.946537018 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:20.948554039 CET	49767	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:20.948601961 CET	443	49767	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:20.948684931 CET	49767	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:20.950107098 CET	49767	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:20.950136900 CET	443	49767	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:21.066778898 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:21.069304943 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:21.279077053 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:21.282798052 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:21.319500923 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:21.335129023 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:21.985943079 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:21.993784904 CET	49768	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:21.993813992 CET	443	49768	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:21.995974064 CET	49768	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:22.105715036 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:22.294132948 CET	443	49767	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:22.298248053 CET	49767	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:22.318089008 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:22.369237900 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:22.893384933 CET	49768	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:22.893400908 CET	443	49768	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:22.898143053 CET	49767	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:22.898185968 CET	443	49767	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:22.898262024 CET	49767	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:22.898809910 CET	443	49767	34.120.208.123	192.168.2.4
Nov 23, 2024 15:46:22.900028944 CET	49767	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:46:24.209075928 CET	443	49768	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:24.209692001 CET	49768	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:24.748961926 CET	49768	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:24.748972893 CET	443	49768	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:24.749041080 CET	49768	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:24.749114037 CET	443	49768	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:24.752183914 CET	49768	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:25.259516001 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:25.379872084 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:25.595618010 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:25.647466898 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:25.668796062 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:25.788558006 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:26.001137972 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:26.048633099 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:34.351684093 CET	49771	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:34.351790905 CET	443	49771	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:34.351975918 CET	49772	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:34.352061033 CET	443	49772	35.190.72.216	192.168.2.4
Nov 23, 2024 15:46:34.354696035 CET	49771	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:34.354834080 CET	49772	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:34.354850054 CET	49771	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:34.354885101 CET	443	49771	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:34.356340885 CET	49772	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:34.356379986 CET	443	49772	35.190.72.216	192.168.2.4
Nov 23, 2024 15:46:34.466192961 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:34.466274023 CET	443	49773	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:34.466526985 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:34.466649055 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:34.466697931 CET	443	49773	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:34.500902891 CET	49774	443	192.168.2.4	35.201.103.21
Nov 23, 2024 15:46:34.500992060 CET	443	49774	35.201.103.21	192.168.2.4
Nov 23, 2024 15:46:34.501231909 CET	49774	443	192.168.2.4	35.201.103.21
Nov 23, 2024 15:46:34.502604961 CET	49774	443	192.168.2.4	35.201.103.21
Nov 23, 2024 15:46:34.502643108 CET	443	49774	35.201.103.21	192.168.2.4
Nov 23, 2024 15:46:34.566354990 CET	49775	443	192.168.2.4	151.101.129.91
Nov 23, 2024 15:46:34.566375017 CET	443	49775	151.101.129.91	192.168.2.4
Nov 23, 2024 15:46:34.566445112 CET	49775	443	192.168.2.4	151.101.129.91
Nov 23, 2024 15:46:34.566531897 CET	49775	443	192.168.2.4	151.101.129.91
Nov 23, 2024 15:46:34.566541910 CET	443	49775	151.101.129.91	192.168.2.4
Nov 23, 2024 15:46:35.364818096 CET	49776	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:35.364885092 CET	443	49776	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:35.365204096 CET	49776	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:35.366594076 CET	49776	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:35.366627932 CET	443	49776	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:35.570133924 CET	443	49772	35.190.72.216	192.168.2.4
Nov 23, 2024 15:46:35.570204973 CET	49772	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:35.574557066 CET	49772	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:35.574573994 CET	443	49772	35.190.72.216	192.168.2.4
Nov 23, 2024 15:46:35.574630976 CET	49772	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:35.574702978 CET	443	49772	35.190.72.216	192.168.2.4
Nov 23, 2024 15:46:35.575483084 CET	49772	443	192.168.2.4	35.190.72.216
Nov 23, 2024 15:46:35.576796055 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:35.606988907 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:35.623871088 CET	443	49771	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:35.625117064 CET	49771	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:35.628058910 CET	49771	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:35.628106117 CET	443	49771	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:35.629034042 CET	443	49771	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:35.630084038 CET	49771	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:35.630150080 CET	49771	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:35.630475998 CET	443	49771	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:35.631504059 CET	49771	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:35.631691933 CET	49771	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:35.699249029 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:35.731076002 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:35.742886066 CET	443	49773	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:35.742958069 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.745762110 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.745776892 CET	443	49773	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:35.746088982 CET	443	49773	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:35.748258114 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.748320103 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.748428106 CET	443	49773	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:35.748862028 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.820573092 CET	443	49774	35.201.103.21	192.168.2.4
Nov 23, 2024 15:46:35.820652962 CET	49774	443	192.168.2.4	35.201.103.21
Nov 23, 2024 15:46:35.824606895 CET	49774	443	192.168.2.4	35.201.103.21
Nov 23, 2024 15:46:35.824631929 CET	443	49774	35.201.103.21	192.168.2.4
Nov 23, 2024 15:46:35.824676037 CET	49774	443	192.168.2.4	35.201.103.21
Nov 23, 2024 15:46:35.824879885 CET	443	49774	35.201.103.21	192.168.2.4
Nov 23, 2024 15:46:35.826225996 CET	49774	443	192.168.2.4	35.201.103.21
Nov 23, 2024 15:46:35.837142944 CET	49777	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:35.837207079 CET	443	49777	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:35.837330103 CET	49777	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:35.837433100 CET	49777	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:35.837456942 CET	443	49777	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:35.878643990 CET	443	49775	151.101.129.91	192.168.2.4
Nov 23, 2024 15:46:35.878783941 CET	49775	443	192.168.2.4	151.101.129.91
Nov 23, 2024 15:46:35.881851912 CET	49775	443	192.168.2.4	151.101.129.91
Nov 23, 2024 15:46:35.881855965 CET	443	49775	151.101.129.91	192.168.2.4
Nov 23, 2024 15:46:35.882047892 CET	443	49775	151.101.129.91	192.168.2.4
Nov 23, 2024 15:46:35.883786917 CET	49775	443	192.168.2.4	151.101.129.91
Nov 23, 2024 15:46:35.883867979 CET	49775	443	192.168.2.4	151.101.129.91
Nov 23, 2024 15:46:35.883884907 CET	443	49775	151.101.129.91	192.168.2.4
Nov 23, 2024 15:46:35.884012938 CET	49775	443	192.168.2.4	151.101.129.91
Nov 23, 2024 15:46:35.890077114 CET	49778	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.890091896 CET	443	49778	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:35.890197992 CET	49778	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.890302896 CET	49778	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.890311003 CET	443	49778	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:35.892015934 CET	49779	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.892076969 CET	443	49779	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:35.892173052 CET	49779	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.892287970 CET	49779	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.892333984 CET	443	49779	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:35.894113064 CET	49780	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.894139051 CET	443	49780	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:35.899388075 CET	49780	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.899635077 CET	49780	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:35.899648905 CET	443	49780	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:35.912967920 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:35.922141075 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:35.961185932 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:36.008093119 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:36.053586960 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:36.127587080 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:36.266613007 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:36.308918953 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:36.586318970 CET	443	49776	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:36.586404085 CET	49776	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:36.590691090 CET	49776	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:36.590723038 CET	443	49776	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:36.590786934 CET	49776	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:36.590873003 CET	443	49776	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:36.591902971 CET	49776	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:36.593043089 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:36.718607903 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:36.981457949 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:36.984210014 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:37.026537895 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:37.103822947 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:37.157453060 CET	443	49777	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:37.157546043 CET	49777	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:37.160808086 CET	49777	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:37.160828114 CET	443	49777	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:37.161325932 CET	443	49777	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:37.163541079 CET	49777	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:37.163688898 CET	49777	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:37.163736105 CET	443	49777	34.149.100.209	192.168.2.4
Nov 23, 2024 15:46:37.164602995 CET	49777	443	192.168.2.4	34.149.100.209
Nov 23, 2024 15:46:37.167783022 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:37.242295980 CET	443	49779	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:37.242383003 CET	49779	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.242420912 CET	443	49778	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:37.242763996 CET	49778	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.245457888 CET	49779	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.245490074 CET	443	49779	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:37.245831966 CET	443	49779	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:37.246496916 CET	443	49780	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:37.247886896 CET	49778	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.247891903 CET	443	49778	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:37.248090982 CET	49780	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.248205900 CET	443	49778	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:37.250376940 CET	49780	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.250406981 CET	443	49780	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:37.251096010 CET	443	49780	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:37.253832102 CET	49779	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.253917933 CET	49779	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.254014015 CET	443	49779	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:37.254610062 CET	49778	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.254669905 CET	49778	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.254771948 CET	443	49778	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:37.255357981 CET	49780	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.255395889 CET	49780	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.255537987 CET	443	49780	35.244.181.201	192.168.2.4
Nov 23, 2024 15:46:37.255623102 CET	49778	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.255623102 CET	49779	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.255654097 CET	49780	443	192.168.2.4	35.244.181.201
Nov 23, 2024 15:46:37.287337065 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:37.320125103 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:37.365160942 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:37.500791073 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:37.503432989 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:37.543628931 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:37.626559019 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:37.838632107 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:37.841363907 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:37.882249117 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:37.960885048 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:38.175374031 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:38.178456068 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:38.229969025 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:38.297990084 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:38.510462046 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:38.568645954 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:48.178364992 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:48.298507929 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:48.517222881 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:48.636940956 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:56.606394053 CET	49783	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:56.606481075 CET	443	49783	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:56.608169079 CET	49783	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:56.609396935 CET	49783	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:56.609451056 CET	443	49783	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:57.883245945 CET	443	49783	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:57.883361101 CET	49783	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:57.887109995 CET	49783	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:57.887131929 CET	443	49783	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:57.887192965 CET	49783	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:57.887825012 CET	443	49783	34.107.243.93	192.168.2.4
Nov 23, 2024 15:46:57.887892962 CET	49783	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:46:57.889481068 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:58.008994102 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:58.222220898 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:58.224798918 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:58.263250113 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:46:58.345199108 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:58.556761026 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:46:58.601869106 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:04.344161034 CET	49796	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:04.344175100 CET	443	49796	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:04.344326973 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:04.344420910 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:04.344425917 CET	443	49797	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:04.344429970 CET	443	49798	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:04.344822884 CET	49796	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:04.344845057 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:04.344858885 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:04.345026970 CET	49796	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:04.345035076 CET	443	49796	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:04.345149040 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:04.345158100 CET	443	49798	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:04.345253944 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:04.345285892 CET	443	49797	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.601645947 CET	443	49796	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.601726055 CET	49796	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.606173038 CET	49796	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.606177092 CET	443	49796	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.606400967 CET	443	49796	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.607162952 CET	443	49798	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.607299089 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.608297110 CET	443	49797	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.609581947 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.609586000 CET	443	49798	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.609735012 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.610248089 CET	443	49798	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.611969948 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.611988068 CET	443	49797	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.612340927 CET	443	49797	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.614012957 CET	49796	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.614120007 CET	49796	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.614160061 CET	443	49796	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.614794016 CET	49796	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.615916967 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.616027117 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.616027117 CET	443	49798	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.616035938 CET	443	49798	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.616581917 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.616652966 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.616767883 CET	443	49797	34.120.208.123	192.168.2.4
Nov 23, 2024 15:47:05.617264986 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.618144989 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 15:47:05.619575024 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:05.789907932 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:06.003690004 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:06.007513046 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:06.054497957 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:06.127036095 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:06.341766119 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:06.387042999 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:16.016808987 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:16.140386105 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:16.352798939 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:16.472462893 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:26.143522024 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:26.265909910 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:26.482121944 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:26.601681948 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:36.272783995 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:36.392429113 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:36.611007929 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:36.731149912 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:38.331965923 CET	49875	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:47:38.331995010 CET	443	49875	34.107.243.93	192.168.2.4
Nov 23, 2024 15:47:38.332401037 CET	49875	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:47:38.333811998 CET	49875	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:47:38.333825111 CET	443	49875	34.107.243.93	192.168.2.4
Nov 23, 2024 15:47:39.590933084 CET	443	49875	34.107.243.93	192.168.2.4
Nov 23, 2024 15:47:39.591079950 CET	49875	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:47:39.596386909 CET	49875	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:47:39.596396923 CET	443	49875	34.107.243.93	192.168.2.4
Nov 23, 2024 15:47:39.596494913 CET	49875	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:47:39.596534967 CET	443	49875	34.107.243.93	192.168.2.4
Nov 23, 2024 15:47:39.596846104 CET	49875	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:47:39.598934889 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:39.718487978 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:39.932162046 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:39.935925007 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:39.983155012 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:40.060051918 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:40.271694899 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:40.321751118 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:49.932651997 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:50.052386999 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:47:50.280271053 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:47:50.399888992 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:48:00.061655998 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:48:00.181416035 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:48:00.409444094 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:48:00.529356003 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:48:10.190603971 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:48:10.310219049 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:48:10.538372993 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:48:10.660654068 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:48:20.320147991 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:48:20.440068007 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:48:20.668009996 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:48:20.793973923 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:48:30.447958946 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:48:30.567503929 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:48:30.795722008 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:48:30.915227890 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:48:40.576890945 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:48:40.696441889 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:48:40.924736023 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:48:41.045644999 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:48:50.705065012 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:48:50.830528021 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:48:51.052809000 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:48:51.173127890 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:49:00.034032106 CET	50055	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:49:00.034053087 CET	443	50055	34.107.243.93	192.168.2.4
Nov 23, 2024 15:49:00.034395933 CET	50055	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:49:00.036130905 CET	50055	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:49:00.036145926 CET	443	50055	34.107.243.93	192.168.2.4
Nov 23, 2024 15:49:00.834386110 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:49:00.960329056 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:49:01.182030916 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:49:01.307452917 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:49:01.338793993 CET	443	50055	34.107.243.93	192.168.2.4
Nov 23, 2024 15:49:01.338860035 CET	50055	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:49:01.344057083 CET	50055	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:49:01.344069958 CET	443	50055	34.107.243.93	192.168.2.4
Nov 23, 2024 15:49:01.344182014 CET	443	50055	34.107.243.93	192.168.2.4
Nov 23, 2024 15:49:01.344192028 CET	50055	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:49:01.344197035 CET	443	50055	34.107.243.93	192.168.2.4
Nov 23, 2024 15:49:01.344364882 CET	50055	443	192.168.2.4	34.107.243.93
Nov 23, 2024 15:49:01.346796989 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:49:01.470206976 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:49:01.683464050 CET	80	49751	34.107.221.82	192.168.2.4
Nov 23, 2024 15:49:01.689575911 CET	49759	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:49:01.736964941 CET	49751	80	192.168.2.4	34.107.221.82
Nov 23, 2024 15:49:01.809031963 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:49:02.022042036 CET	80	49759	34.107.221.82	192.168.2.4
Nov 23, 2024 15:49:02.068965912 CET	49759	80	192.168.2.4	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 15:46:06.118804932 CET	52627	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:06.264565945 CET	53	52627	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:06.266093969 CET	63808	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:06.608869076 CET	53	63808	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:08.664108992 CET	57685	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:08.664494038 CET	50390	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:08.801999092 CET	53	57685	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:08.803500891 CET	57554	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:08.804646969 CET	60792	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:08.940800905 CET	53	57554	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:08.941597939 CET	63479	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:08.948271990 CET	53	60792	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:08.948957920 CET	62218	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:09.080864906 CET	53	63479	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:09.088799953 CET	53	62218	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:09.351809978 CET	62952	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:09.498188972 CET	53	62952	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:10.073518038 CET	55931	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:10.073776007 CET	50146	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:10.212449074 CET	53	50146	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:10.213614941 CET	53	55931	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:10.318722010 CET	55954	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:10.330898046 CET	61042	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:10.331162930 CET	49856	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:10.344602108 CET	60469	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:10.456180096 CET	53	55954	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:10.457164049 CET	56080	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:10.468872070 CET	53	61042	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:10.471992016 CET	53	49856	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:10.483207941 CET	53	60469	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:10.490735054 CET	60192	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:10.560132027 CET	61009	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:10.574518919 CET	60464	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:10.576122999 CET	55779	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:10.597615004 CET	53	56080	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:10.598136902 CET	63950	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:10.635699034 CET	53	60192	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:10.636244059 CET	62861	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:10.704417944 CET	53	61009	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:10.718599081 CET	53	60464	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:10.754841089 CET	53	63950	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:10.781141996 CET	53	62861	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:11.291879892 CET	59276	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:11.617424965 CET	60016	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:11.850976944 CET	53	60016	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:11.851919889 CET	50399	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:11.992602110 CET	53	50399	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:11.993221998 CET	62958	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:12.016133070 CET	53	59919	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:12.042644978 CET	49818	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:12.130496025 CET	53	62958	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:12.140691996 CET	49583	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:12.180684090 CET	53	49818	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:12.184206963 CET	62488	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:12.278861046 CET	53	49583	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:12.279730082 CET	49538	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:12.322488070 CET	53	62488	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:12.323573112 CET	49941	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:12.417982101 CET	53	49538	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:12.462517977 CET	53	49941	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:16.079416990 CET	55497	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:16.217782021 CET	53	55497	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:16.218539000 CET	50814	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:16.362095118 CET	53	50814	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:16.362808943 CET	56488	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:16.502177000 CET	53	56488	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:20.928972006 CET	59010	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:20.929229975 CET	54281	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:20.929461002 CET	57157	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:20.943877935 CET	63579	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:21.068015099 CET	53	59010	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:21.068274021 CET	53	54281	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:21.069008112 CET	53	57157	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:21.723674059 CET	56254	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:21.723745108 CET	55349	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:21.724042892 CET	61044	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:21.861996889 CET	53	56254	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:21.862047911 CET	53	61044	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:21.862644911 CET	56933	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:21.866173029 CET	53	55349	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:21.888349056 CET	49751	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:21.888349056 CET	51863	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:22.025968075 CET	53	49751	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:22.028179884 CET	53	51863	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:22.069760084 CET	53	56933	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:22.889811039 CET	53362	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:22.890239000 CET	61643	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:22.895508051 CET	57392	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:23.034794092 CET	53	61643	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:23.035355091 CET	53	53362	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:23.041019917 CET	53	57392	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:23.435096979 CET	65158	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:23.435976982 CET	62845	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:23.436273098 CET	59790	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:23.572369099 CET	53	65158	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:23.573337078 CET	53	59790	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:23.574661970 CET	64503	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:23.636976957 CET	53	62845	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:23.637566090 CET	57239	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:23.712917089 CET	53	64503	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:23.930700064 CET	53	57239	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:34.347229004 CET	62256	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:34.358831882 CET	60872	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:34.466428041 CET	64670	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:34.500170946 CET	53	60872	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:34.501173973 CET	61089	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:34.565500975 CET	53	62256	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:34.690979958 CET	53	61089	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:34.691653013 CET	52127	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:34.727786064 CET	53	64670	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:34.728365898 CET	50887	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:34.728707075 CET	53435	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:34.835654974 CET	53	52127	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:34.872479916 CET	53	53435	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:34.873023033 CET	52510	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:34.944550991 CET	53	50887	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:35.021404982 CET	53	52510	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:35.365150928 CET	52737	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:35.503994942 CET	53	52737	1.1.1.1	192.168.2.4
Nov 23, 2024 15:46:56.607193947 CET	65449	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:46:56.746161938 CET	53	65449	1.1.1.1	192.168.2.4
Nov 23, 2024 15:47:04.344752073 CET	57629	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:47:04.487328053 CET	53	57629	1.1.1.1	192.168.2.4
Nov 23, 2024 15:47:38.180514097 CET	50031	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:47:38.330837965 CET	53	50031	1.1.1.1	192.168.2.4
Nov 23, 2024 15:47:38.332360029 CET	64294	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:47:38.471658945 CET	53	64294	1.1.1.1	192.168.2.4
Nov 23, 2024 15:47:39.599173069 CET	64317	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:48:59.750034094 CET	64998	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:48:59.891474962 CET	53	64998	1.1.1.1	192.168.2.4
Nov 23, 2024 15:48:59.892503023 CET	58330	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:49:00.033102989 CET	53	58330	1.1.1.1	192.168.2.4
Nov 23, 2024 15:49:00.033727884 CET	62786	53	192.168.2.4	1.1.1.1
Nov 23, 2024 15:49:00.171689034 CET	53	62786	1.1.1.1	192.168.2.4
Nov 23, 2024 15:49:01.347088099 CET	51844	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 15:46:06.118804932 CET	192.168.2.4	1.1.1.1	0xa608	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:06.266093969 CET	192.168.2.4	1.1.1.1	0xabd8	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 15:46:08.664108992 CET	192.168.2.4	1.1.1.1	0x57b3	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:08.664494038 CET	192.168.2.4	1.1.1.1	0x4024	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:08.803500891 CET	192.168.2.4	1.1.1.1	0x217e	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:08.804646969 CET	192.168.2.4	1.1.1.1	0x689	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:08.941597939 CET	192.168.2.4	1.1.1.1	0x417	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 15:46:08.948957920 CET	192.168.2.4	1.1.1.1	0x3acd	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 23, 2024 15:46:09.351809978 CET	192.168.2.4	1.1.1.1	0xe7de	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.073518038 CET	192.168.2.4	1.1.1.1	0xa15d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.073776007 CET	192.168.2.4	1.1.1.1	0x66ca	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.318722010 CET	192.168.2.4	1.1.1.1	0x7108	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.330898046 CET	192.168.2.4	1.1.1.1	0xc67	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 15:46:10.331162930 CET	192.168.2.4	1.1.1.1	0xf00	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 15:46:10.344602108 CET	192.168.2.4	1.1.1.1	0xcf1a	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.457164049 CET	192.168.2.4	1.1.1.1	0x2927	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.490735054 CET	192.168.2.4	1.1.1.1	0x38f2	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.560132027 CET	192.168.2.4	1.1.1.1	0x704b	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.574518919 CET	192.168.2.4	1.1.1.1	0x3998	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.576122999 CET	192.168.2.4	1.1.1.1	0xf769	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.598136902 CET	192.168.2.4	1.1.1.1	0x607f	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 15:46:10.636244059 CET	192.168.2.4	1.1.1.1	0x2dcf	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 15:46:11.291879892 CET	192.168.2.4	1.1.1.1	0x34ed	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:11.617424965 CET	192.168.2.4	1.1.1.1	0x162d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:11.851919889 CET	192.168.2.4	1.1.1.1	0x7b62	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:11.993221998 CET	192.168.2.4	1.1.1.1	0x4b07	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 15:46:12.042644978 CET	192.168.2.4	1.1.1.1	0x6886	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:12.140691996 CET	192.168.2.4	1.1.1.1	0xe4d9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:12.184206963 CET	192.168.2.4	1.1.1.1	0x48c8	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:12.279730082 CET	192.168.2.4	1.1.1.1	0xbbac	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 15:46:12.323573112 CET	192.168.2.4	1.1.1.1	0x3379	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 15:46:16.079416990 CET	192.168.2.4	1.1.1.1	0xf808	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:16.218539000 CET	192.168.2.4	1.1.1.1	0xe24e	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:16.362808943 CET	192.168.2.4	1.1.1.1	0x23fb	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 15:46:20.928972006 CET	192.168.2.4	1.1.1.1	0xfb15	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:20.929229975 CET	192.168.2.4	1.1.1.1	0x80bd	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:20.929461002 CET	192.168.2.4	1.1.1.1	0x9a3	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:20.943877935 CET	192.168.2.4	1.1.1.1	0xb973	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.723674059 CET	192.168.2.4	1.1.1.1	0xc98b	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.723745108 CET	192.168.2.4	1.1.1.1	0x5e85	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.724042892 CET	192.168.2.4	1.1.1.1	0xbba3	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.862644911 CET	192.168.2.4	1.1.1.1	0x7c72	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 23, 2024 15:46:21.888349056 CET	192.168.2.4	1.1.1.1	0x655d	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 23, 2024 15:46:21.888349056 CET	192.168.2.4	1.1.1.1	0xf3b3	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 23, 2024 15:46:22.889811039 CET	192.168.2.4	1.1.1.1	0x6e56	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:22.890239000 CET	192.168.2.4	1.1.1.1	0xabdc	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:22.895508051 CET	192.168.2.4	1.1.1.1	0x8206	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 15:46:23.435096979 CET	192.168.2.4	1.1.1.1	0xb275	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 15:46:23.435976982 CET	192.168.2.4	1.1.1.1	0xf362	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.436273098 CET	192.168.2.4	1.1.1.1	0x2003	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.574661970 CET	192.168.2.4	1.1.1.1	0x6bf1	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 23, 2024 15:46:23.637566090 CET	192.168.2.4	1.1.1.1	0x7d6a	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 23, 2024 15:46:34.347229004 CET	192.168.2.4	1.1.1.1	0x25ff	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.358831882 CET	192.168.2.4	1.1.1.1	0x5e55	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.466428041 CET	192.168.2.4	1.1.1.1	0x858e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.501173973 CET	192.168.2.4	1.1.1.1	0xb092	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.691653013 CET	192.168.2.4	1.1.1.1	0xb4ca	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 15:46:34.728365898 CET	192.168.2.4	1.1.1.1	0x8818	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 15:46:34.728707075 CET	192.168.2.4	1.1.1.1	0xdb6a	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.873023033 CET	192.168.2.4	1.1.1.1	0x3e0c	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 23, 2024 15:46:35.365150928 CET	192.168.2.4	1.1.1.1	0xff21	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 15:46:56.607193947 CET	192.168.2.4	1.1.1.1	0xd17c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 15:47:04.344752073 CET	192.168.2.4	1.1.1.1	0x431e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 15:47:38.180514097 CET	192.168.2.4	1.1.1.1	0x2356	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:47:38.332360029 CET	192.168.2.4	1.1.1.1	0xbdc9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 15:47:39.599173069 CET	192.168.2.4	1.1.1.1	0xd8c1	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:48:59.750034094 CET	192.168.2.4	1.1.1.1	0xc3f7	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:48:59.892503023 CET	192.168.2.4	1.1.1.1	0x2f0e	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:49:00.033727884 CET	192.168.2.4	1.1.1.1	0x10f4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 15:49:01.347088099 CET	192.168.2.4	1.1.1.1	0xdd17	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 15:46:06.116189003 CET	1.1.1.1	192.168.2.4	0x70c1	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:06.264565945 CET	1.1.1.1	192.168.2.4	0xa608	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:08.801959991 CET	1.1.1.1	192.168.2.4	0x4024	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:08.801959991 CET	1.1.1.1	192.168.2.4	0x4024	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:08.801999092 CET	1.1.1.1	192.168.2.4	0x57b3	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:08.940800905 CET	1.1.1.1	192.168.2.4	0x217e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:08.948271990 CET	1.1.1.1	192.168.2.4	0x689	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:09.080864906 CET	1.1.1.1	192.168.2.4	0x417	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 15:46:09.088799953 CET	1.1.1.1	192.168.2.4	0x3acd	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 23, 2024 15:46:09.493268967 CET	1.1.1.1	192.168.2.4	0xb672	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:09.493268967 CET	1.1.1.1	192.168.2.4	0xb672	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:09.498188972 CET	1.1.1.1	192.168.2.4	0xe7de	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.212449074 CET	1.1.1.1	192.168.2.4	0x66ca	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.213614941 CET	1.1.1.1	192.168.2.4	0xa15d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.456180096 CET	1.1.1.1	192.168.2.4	0x7108	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:10.456180096 CET	1.1.1.1	192.168.2.4	0x7108	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.483207941 CET	1.1.1.1	192.168.2.4	0xcf1a	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:10.483207941 CET	1.1.1.1	192.168.2.4	0xcf1a	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:10.483207941 CET	1.1.1.1	192.168.2.4	0xcf1a	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.597615004 CET	1.1.1.1	192.168.2.4	0x2927	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.635699034 CET	1.1.1.1	192.168.2.4	0x38f2	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.704417944 CET	1.1.1.1	192.168.2.4	0x704b	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.718599081 CET	1.1.1.1	192.168.2.4	0x3998	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.718599081 CET	1.1.1.1	192.168.2.4	0x3998	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.719820023 CET	1.1.1.1	192.168.2.4	0xf769	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:10.719820023 CET	1.1.1.1	192.168.2.4	0xf769	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:10.781141996 CET	1.1.1.1	192.168.2.4	0x2dcf	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 15:46:11.531362057 CET	1.1.1.1	192.168.2.4	0x34ed	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:11.850976944 CET	1.1.1.1	192.168.2.4	0x162d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:11.992602110 CET	1.1.1.1	192.168.2.4	0x7b62	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:12.139837980 CET	1.1.1.1	192.168.2.4	0xe122	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:12.165879011 CET	1.1.1.1	192.168.2.4	0xadcb	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:12.165879011 CET	1.1.1.1	192.168.2.4	0xadcb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:12.180684090 CET	1.1.1.1	192.168.2.4	0x6886	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:12.180684090 CET	1.1.1.1	192.168.2.4	0x6886	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:12.278861046 CET	1.1.1.1	192.168.2.4	0xe4d9	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:12.322488070 CET	1.1.1.1	192.168.2.4	0x48c8	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:16.217782021 CET	1.1.1.1	192.168.2.4	0xf808	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:16.217782021 CET	1.1.1.1	192.168.2.4	0xf808	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:16.217782021 CET	1.1.1.1	192.168.2.4	0xf808	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:16.362095118 CET	1.1.1.1	192.168.2.4	0xe24e	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:16.674304008 CET	1.1.1.1	192.168.2.4	0x52a4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.068015099 CET	1.1.1.1	192.168.2.4	0xfb15	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:21.068015099 CET	1.1.1.1	192.168.2.4	0xfb15	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.068015099 CET	1.1.1.1	192.168.2.4	0xfb15	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.068015099 CET	1.1.1.1	192.168.2.4	0xfb15	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.068015099 CET	1.1.1.1	192.168.2.4	0xfb15	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.068015099 CET	1.1.1.1	192.168.2.4	0xfb15	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.068015099 CET	1.1.1.1	192.168.2.4	0xfb15	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.068015099 CET	1.1.1.1	192.168.2.4	0xfb15	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.068015099 CET	1.1.1.1	192.168.2.4	0xfb15	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.068015099 CET	1.1.1.1	192.168.2.4	0xfb15	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.068015099 CET	1.1.1.1	192.168.2.4	0xfb15	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.068274021 CET	1.1.1.1	192.168.2.4	0x80bd	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:21.068274021 CET	1.1.1.1	192.168.2.4	0x80bd	No error (0)	star-mini.c10r.facebook.com		157.240.195.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.069008112 CET	1.1.1.1	192.168.2.4	0x9a3	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:21.069008112 CET	1.1.1.1	192.168.2.4	0x9a3	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.631853104 CET	1.1.1.1	192.168.2.4	0xb973	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:21.631853104 CET	1.1.1.1	192.168.2.4	0xb973	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.861996889 CET	1.1.1.1	192.168.2.4	0xc98b	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.862047911 CET	1.1.1.1	192.168.2.4	0xbba3	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.862047911 CET	1.1.1.1	192.168.2.4	0xbba3	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.862047911 CET	1.1.1.1	192.168.2.4	0xbba3	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.862047911 CET	1.1.1.1	192.168.2.4	0xbba3	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.862047911 CET	1.1.1.1	192.168.2.4	0xbba3	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.862047911 CET	1.1.1.1	192.168.2.4	0xbba3	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.862047911 CET	1.1.1.1	192.168.2.4	0xbba3	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.862047911 CET	1.1.1.1	192.168.2.4	0xbba3	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.862047911 CET	1.1.1.1	192.168.2.4	0xbba3	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.862047911 CET	1.1.1.1	192.168.2.4	0xbba3	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:21.866173029 CET	1.1.1.1	192.168.2.4	0x5e85	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:22.025968075 CET	1.1.1.1	192.168.2.4	0x655d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 15:46:22.025968075 CET	1.1.1.1	192.168.2.4	0x655d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 15:46:22.025968075 CET	1.1.1.1	192.168.2.4	0x655d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 15:46:22.025968075 CET	1.1.1.1	192.168.2.4	0x655d	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 15:46:22.028179884 CET	1.1.1.1	192.168.2.4	0xf3b3	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 23, 2024 15:46:22.069760084 CET	1.1.1.1	192.168.2.4	0x7c72	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 23, 2024 15:46:23.034794092 CET	1.1.1.1	192.168.2.4	0xabdc	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.034794092 CET	1.1.1.1	192.168.2.4	0xabdc	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.034794092 CET	1.1.1.1	192.168.2.4	0xabdc	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.034794092 CET	1.1.1.1	192.168.2.4	0xabdc	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.035355091 CET	1.1.1.1	192.168.2.4	0x6e56	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:23.035355091 CET	1.1.1.1	192.168.2.4	0x6e56	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.035355091 CET	1.1.1.1	192.168.2.4	0x6e56	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.035355091 CET	1.1.1.1	192.168.2.4	0x6e56	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.035355091 CET	1.1.1.1	192.168.2.4	0x6e56	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.573337078 CET	1.1.1.1	192.168.2.4	0x2003	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.573337078 CET	1.1.1.1	192.168.2.4	0x2003	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.573337078 CET	1.1.1.1	192.168.2.4	0x2003	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.573337078 CET	1.1.1.1	192.168.2.4	0x2003	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.636976957 CET	1.1.1.1	192.168.2.4	0xf362	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.636976957 CET	1.1.1.1	192.168.2.4	0xf362	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.636976957 CET	1.1.1.1	192.168.2.4	0xf362	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:23.636976957 CET	1.1.1.1	192.168.2.4	0xf362	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.465359926 CET	1.1.1.1	192.168.2.4	0xc0e	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:34.465359926 CET	1.1.1.1	192.168.2.4	0xc0e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.500170946 CET	1.1.1.1	192.168.2.4	0x5e55	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:34.500170946 CET	1.1.1.1	192.168.2.4	0x5e55	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.565500975 CET	1.1.1.1	192.168.2.4	0x25ff	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.565500975 CET	1.1.1.1	192.168.2.4	0x25ff	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.565500975 CET	1.1.1.1	192.168.2.4	0x25ff	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.565500975 CET	1.1.1.1	192.168.2.4	0x25ff	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.690979958 CET	1.1.1.1	192.168.2.4	0xb092	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.727786064 CET	1.1.1.1	192.168.2.4	0x858e	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.872479916 CET	1.1.1.1	192.168.2.4	0xdb6a	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.872479916 CET	1.1.1.1	192.168.2.4	0xdb6a	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.872479916 CET	1.1.1.1	192.168.2.4	0xdb6a	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:34.872479916 CET	1.1.1.1	192.168.2.4	0xdb6a	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:46:35.021404982 CET	1.1.1.1	192.168.2.4	0x3e0c	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 15:46:35.021404982 CET	1.1.1.1	192.168.2.4	0x3e0c	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 15:46:35.021404982 CET	1.1.1.1	192.168.2.4	0x3e0c	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 15:46:35.021404982 CET	1.1.1.1	192.168.2.4	0x3e0c	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 15:46:37.779120922 CET	1.1.1.1	192.168.2.4	0xbfe2	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:46:37.779120922 CET	1.1.1.1	192.168.2.4	0xbfe2	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:47:04.341759920 CET	1.1.1.1	192.168.2.4	0x8f03	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:47:38.330837965 CET	1.1.1.1	192.168.2.4	0x2356	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:47:39.736752033 CET	1.1.1.1	192.168.2.4	0xd8c1	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:47:39.736752033 CET	1.1.1.1	192.168.2.4	0xd8c1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:48:59.891474962 CET	1.1.1.1	192.168.2.4	0xc3f7	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:49:00.033102989 CET	1.1.1.1	192.168.2.4	0x2f0e	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 15:49:01.497351885 CET	1.1.1.1	192.168.2.4	0xdd17	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 15:49:01.497351885 CET	1.1.1.1	192.168.2.4	0xdd17	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	34.107.221.82	80	6044	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 15:46:09.214385033 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 15:46:10.395152092 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 28693 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49747	34.107.221.82	80	6044	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 15:46:10.857130051 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 15:46:12.036986113 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 49026 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	34.107.221.82	80	6044	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 15:46:11.669262886 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 15:46:12.941266060 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 28695 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 15:46:16.531524897 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 15:46:16.864655018 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 28699 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 15:46:20.946537018 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 15:46:21.282798052 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 28704 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 15:46:25.259516001 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 15:46:25.595618010 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 28708 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 15:46:35.576796055 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 15:46:35.606988907 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:46:35.912967920 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 28718 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 15:46:36.593043089 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 15:46:36.981457949 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 28719 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 15:46:37.167783022 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 15:46:37.500791073 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 28720 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 15:46:37.841363907 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 15:46:38.175374031 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 28721 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 15:46:48.178364992 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:46:57.889481068 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 15:46:58.222220898 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 28741 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 15:47:05.619575024 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 15:47:06.003690004 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 28748 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 15:47:16.016808987 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:47:26.143522024 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:47:36.272783995 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:47:39.598934889 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 15:47:39.932162046 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 28782 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 15:47:49.932651997 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:48:00.061655998 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:48:10.190603971 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:48:20.320147991 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:48:30.447958946 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:49:01.346796989 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 15:49:01.683464050 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 28864 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49759	34.107.221.82	80	6044	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 15:46:16.651357889 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 15:46:17.828669071 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 50519 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 15:46:20.943772078 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 15:46:21.279077053 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 50523 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 15:46:21.985943079 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 15:46:22.318089008 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 50524 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 15:46:25.668796062 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 15:46:26.001137972 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 50527 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 15:46:35.922141075 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 15:46:36.008093119 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:46:36.266613007 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 50538 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 15:46:36.984210014 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 15:46:37.320125103 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 50539 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 15:46:37.503432989 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 15:46:37.838632107 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 50539 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 15:46:38.178456068 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 15:46:38.510462046 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 50540 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 15:46:48.517222881 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:46:58.224798918 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 15:46:58.556761026 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 50560 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 15:47:06.007513046 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 15:47:06.341766119 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 50568 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 15:47:16.352798939 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:47:26.482121944 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:47:36.611007929 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:47:39.935925007 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 15:47:40.271694899 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 50602 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 15:47:50.280271053 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:48:00.409444094 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:48:10.538372993 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:48:20.668009996 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:48:30.795722008 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 15:49:01.689575911 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 15:49:02.022042036 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 50683 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	09:45:58
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xb20000
File size:	922'112 bytes
MD5 hash:	6AF576DA82F8F0FB7902FA3CE4235E02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:45:58
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xb10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:45:58
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:46:00
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xb10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:46:00
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:46:01
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xb10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:46:01
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:46:01
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xb10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:46:01
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:46:01
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xb10000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:46:01
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:46:01
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:46:02
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:46:02
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	09:46:02
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c7b777d-2a26-4fbe-9330-9edfca496016} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 1bffe16ef10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	09:46:05
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4396 -parentBuildID 20230927232528 -prefsHandle 4388 -prefMapHandle 4384 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57a82ab3-3010-46f8-acb6-a65d54e98571} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 1bf8e7d0e10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:46:10
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5300 -prefMapHandle 5296 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20381055-6d38-4858-a02c-8e8f38f6f4a2} 6044 "\\.\pipe\gecko-crash-server-pipe.6044" 1bf8dcc1d10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.8%
Total number of Nodes:	1498
Total number of Limit Nodes:	55

Executed Functions

Function 00B242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B2430D

Part of subcall function 00B26B57: _wcslen.LIBCMT ref: 00B26B6A

GetCurrentProcess.KERNEL32(?,00BBCB64,00000000,?,?), ref: 00B24422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B24429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B24454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B24466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00B24474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B2447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00B244A0

Strings

GetNativeSystemInfo, xrefs: 00B24460
|O, xrefs: 00B636F8
kernel32.dll, xrefs: 00B2444F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: ae52958c671be2109382cf211d5bc1fee65b3da6b5c2f1947c732ce151e4eed7
Instruction ID: f3abc73cb85f3fdd723b68413163bdaabff5f6dbcd1226e555aecb6c16096033
Opcode Fuzzy Hash: ae52958c671be2109382cf211d5bc1fee65b3da6b5c2f1947c732ce151e4eed7
Instruction Fuzzy Hash: C8A1837690A2D4FFC712DB6DBC815B57FE4AB26700B085CE9D09993B22DF744908CB29

Function 00B242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00B250AA,?,?,00000000,00000000), ref: 00B242B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B250AA,?,?,00000000,00000000), ref: 00B242C9
LoadResource.KERNEL32(?,00000000,?,?,00B250AA,?,?,00000000,00000000,?,?,?,?,?,?,00B24F20), ref: 00B635BE
SizeofResource.KERNEL32(?,00000000,?,?,00B250AA,?,?,00000000,00000000,?,?,?,?,?,?,00B24F20), ref: 00B635D3
LockResource.KERNEL32(00B250AA,?,?,00B250AA,?,?,00000000,00000000,?,?,?,?,?,?,00B24F20,?), ref: 00B635E6

Strings

SCRIPT, xrefs: 00B242BF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a1a2d723248be4bd64260c5a64f614b741ea408cf1664abd7a29fbe423b35643
Instruction ID: 34687a7b30f4031465270ec9f4a96353f9744162754f2522f5d51dfc827a8b77
Opcode Fuzzy Hash: a1a2d723248be4bd64260c5a64f614b741ea408cf1664abd7a29fbe423b35643
Instruction Fuzzy Hash: DA112A71200611EFDB218B66EC49F677BB9EBC5B51F2482A9B40696660DBB1D8048A60

Function 00B62BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00B22B6B

Part of subcall function 00B23A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BF1418,?,00B22E7F,?,?,?,00000000), ref: 00B23A78

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00BE2224), ref: 00B62C10
ShellExecuteW.SHELL32(00000000,?,?,00BE2224), ref: 00B62C17

Strings

runas, xrefs: 00B62C0B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 96c2dc8e2f2432f1d216604989c2dbe41b28e744760056d1b36a6e50f9ee15e7
Instruction ID: ee48020fb9fb8798d77ba72d25e9d6f9415eb7038327e85b0974115e7f918a34
Opcode Fuzzy Hash: 96c2dc8e2f2432f1d216604989c2dbe41b28e744760056d1b36a6e50f9ee15e7
Instruction Fuzzy Hash: A711E131208355AAC714FF24F8569BE7BE8EB95740F480DECF18E570A2CF258A0AC712

Function 00B8D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B8D501
Process32FirstW.KERNEL32(00000000,?), ref: 00B8D50F
Process32NextW.KERNEL32(00000000,?), ref: 00B8D52F
CloseHandle.KERNELBASE(00000000), ref: 00B8D5DC

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2b19629de2ddbfaf40774961e36c6c12195b1b0f89793fff6571d64ae32d350a
Instruction ID: 50d344f7c69e900f8cded4c056d6875962880d4a5815d0cacda8370647470895
Opcode Fuzzy Hash: 2b19629de2ddbfaf40774961e36c6c12195b1b0f89793fff6571d64ae32d350a
Instruction Fuzzy Hash: 6731B1711083009FD300EF54D881AAFBBF8EF99354F54096EF589971A1EB71D948CBA2

Function 00B8DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00B65222), ref: 00B8DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00B8DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00B8DBEE
FindClose.KERNEL32(00000000), ref: 00B8DBFA

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: b0645a312fcffaedc062977250cdf261cb32831ea7ac0f9f4b59d4a38832a155
Instruction ID: 3bdf8d69f8f5a24fce399293f651ad32dfc9ddba48194d80a5fb8f10024540ce
Opcode Fuzzy Hash: b0645a312fcffaedc062977250cdf261cb32831ea7ac0f9f4b59d4a38832a155
Instruction Fuzzy Hash: ACF039318149146B8220BF7CAD0D8AA7BACDE42335B544B47F876D21F0EFF09D95CA96

Function 00B44CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00B528E9,?,00B44CBE,00B528E9,00BE88B8,0000000C,00B44E15,00B528E9,00000002,00000000,?,00B528E9), ref: 00B44D09
TerminateProcess.KERNEL32(00000000,?,00B44CBE,00B528E9,00BE88B8,0000000C,00B44E15,00B528E9,00000002,00000000,?,00B528E9), ref: 00B44D10
ExitProcess.KERNEL32 ref: 00B44D22

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 106607b62d13453f00924db6339a841ea3a6e623d5e3185cef7e54e37da56c0e
Instruction ID: 7b0e89b5bfe66dff5c19fe7813803219309a3e1f0f822316f590e395fd52a444
Opcode Fuzzy Hash: 106607b62d13453f00924db6339a841ea3a6e623d5e3185cef7e54e37da56c0e
Instruction Fuzzy Hash: 81E0B631404148ABCF11AF54DD09B683FE9EB42781B5041A8FC059B222CB75DE52DA84

Function 00BAAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00BAB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BAB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BAB1D4
_wcslen.LIBCMT ref: 00BAB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BAB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BAB236
_wcslen.LIBCMT ref: 00BAB332

Part of subcall function 00B905A7: GetStdHandle.KERNEL32(000000F6), ref: 00B905C6

_wcslen.LIBCMT ref: 00BAB34B
_wcslen.LIBCMT ref: 00BAB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BAB3B6
GetLastError.KERNEL32(00000000), ref: 00BAB407
CloseHandle.KERNEL32(?), ref: 00BAB439
CloseHandle.KERNEL32(00000000), ref: 00BAB44A
CloseHandle.KERNEL32(00000000), ref: 00BAB45C
CloseHandle.KERNEL32(00000000), ref: 00BAB46E
CloseHandle.KERNEL32(?), ref: 00BAB4E3

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 87670bda4f38283ba2352a198da59a7c5d786d3ac92159ea6dc0cb52e53ed8f0
Instruction ID: 8d0e88729060db830d8127b7e98230370b0ad5e9326035d027d355414af63417
Opcode Fuzzy Hash: 87670bda4f38283ba2352a198da59a7c5d786d3ac92159ea6dc0cb52e53ed8f0
Instruction Fuzzy Hash: ECF169315083509FCB24EF24D891F6ABBE5EF86314F14859DF8999B2A2CB31EC44CB52

Function 00B2D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B2D807
timeGetTime.WINMM ref: 00B2DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B2DB28
TranslateMessage.USER32(?), ref: 00B2DB7B
DispatchMessageW.USER32(?), ref: 00B2DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B2DB9F
Sleep.KERNELBASE(0000000A), ref: 00B2DBB1

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 35e1211929cc7f6a38057af2aed1596370d899c6af3ec5033c34336028e91770
Instruction ID: 2691a589a7df3ca765270035e917e9ef041b3da8816b50fdcd750b3f202032c5
Opcode Fuzzy Hash: 35e1211929cc7f6a38057af2aed1596370d899c6af3ec5033c34336028e91770
Instruction Fuzzy Hash: 6942F430604251DFD725CF28D894BAAB7E1FF55304F148AA9F5AD8B391DB70E884CB92

Function 00B22CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B22D07
RegisterClassExW.USER32(00000030), ref: 00B22D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B22D42
InitCommonControlsEx.COMCTL32(?), ref: 00B22D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B22D6F
LoadIconW.USER32(000000A9), ref: 00B22D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B22D94

Strings

TaskbarCreated, xrefs: 00B22D37
+, xrefs: 00B22CF0
AutoIt v3 GUI, xrefs: 00B22D23
0, xrefs: 00B22CE9

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 1ee7137c630c082afac207f4f5305512498dec04f0c13fb54c28c79183e37824
Instruction ID: 9690fa89580cd250f0d6c0ed43750d36caf6d4c8c3a3d36ebc1c8cda97900422
Opcode Fuzzy Hash: 1ee7137c630c082afac207f4f5305512498dec04f0c13fb54c28c79183e37824
Instruction Fuzzy Hash: D721A2B5911218EBDB00DFA9E849AADBFB8FB08700F108A1AE551A72A0DBF14545CF95

Function 00B6065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B6039A: CreateFileW.KERNELBASE(00000000,00000000,?,00B60704,?,?,00000000,?,00B60704,00000000,0000000C), ref: 00B603B7

GetLastError.KERNEL32 ref: 00B6076F
__dosmaperr.LIBCMT ref: 00B60776
GetFileType.KERNELBASE(00000000), ref: 00B60782
GetLastError.KERNEL32 ref: 00B6078C
__dosmaperr.LIBCMT ref: 00B60795
CloseHandle.KERNEL32(00000000), ref: 00B607B5
CloseHandle.KERNEL32(?), ref: 00B608FF
GetLastError.KERNEL32 ref: 00B60931
__dosmaperr.LIBCMT ref: 00B60938

Strings

H, xrefs: 00B608BD

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: bae19f4e878ddfb39c1208fa7de0d6515a43778c785fb67a78f9f6291b2e9529
Instruction ID: 41e370cc52f967ea6f2f18e6cb743606a7f1e34b726e80b724e12578fc5da720
Opcode Fuzzy Hash: bae19f4e878ddfb39c1208fa7de0d6515a43778c785fb67a78f9f6291b2e9529
Instruction Fuzzy Hash: 5DA10532A241058FDF19EF68D891BBE7BE0EB46320F140199F8159B2A2DB759D12CB91

Function 00B2344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B23A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BF1418,?,00B22E7F,?,?,?,00000000), ref: 00B23A78

Part of subcall function 00B23357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B23379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B2356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B6318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B631CE
RegCloseKey.ADVAPI32(?), ref: 00B63210
_wcslen.LIBCMT ref: 00B63277
_wcslen.LIBCMT ref: 00B63286

Strings

\Include\, xrefs: 00B23527
\, xrefs: 00B6328C
Software\AutoIt v3\AutoIt, xrefs: 00B23560
Include, xrefs: 00B63184, 00B631C5

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 42e5a86b978913d5b2a51fd3e887c5d2cedb8864a44ed5350f6b50a53b31b758
Instruction ID: ec765657c161b1ffaf8f9e64fd91356d3e0e7ba54cbb440c609eab6f742458ad
Opcode Fuzzy Hash: 42e5a86b978913d5b2a51fd3e887c5d2cedb8864a44ed5350f6b50a53b31b758
Instruction Fuzzy Hash: C071A1B14043159FC314EF29EC829BBBBE8FF99740F40096EF54997160EB749A48CB65

Function 00B22B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B22B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00B22B9D
LoadIconW.USER32(00000063), ref: 00B22BB3
LoadIconW.USER32(000000A4), ref: 00B22BC5
LoadIconW.USER32(000000A2), ref: 00B22BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B22BEF
RegisterClassExW.USER32(?), ref: 00B22C40

Part of subcall function 00B22CD4: GetSysColorBrush.USER32(0000000F), ref: 00B22D07
Part of subcall function 00B22CD4: RegisterClassExW.USER32(00000030), ref: 00B22D31
Part of subcall function 00B22CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B22D42
Part of subcall function 00B22CD4: InitCommonControlsEx.COMCTL32(?), ref: 00B22D5F
Part of subcall function 00B22CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B22D6F
Part of subcall function 00B22CD4: LoadIconW.USER32(000000A9), ref: 00B22D85
Part of subcall function 00B22CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B22D94

Strings

AutoIt v3, xrefs: 00B22C2F
0, xrefs: 00B22C0F
#, xrefs: 00B22C16

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 51ab8a8506b41db0a11a3d91b2396d941b71fcfd088bf4bb6b3543c39386d483
Instruction ID: 4ab151ca37f987032fe3a98843fba077710e3e60986611f132466c50965b9fd9
Opcode Fuzzy Hash: 51ab8a8506b41db0a11a3d91b2396d941b71fcfd088bf4bb6b3543c39386d483
Instruction Fuzzy Hash: 67212C71E00315FBDB10DFAAEC55AA97FB4FB48B50F00095AF504A76A0DBB10944CF98

Function 00B23170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B2316A,?,?), ref: 00B231D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00B2316A,?,?), ref: 00B23204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B23227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B2316A,?,?), ref: 00B23232
CreatePopupMenu.USER32 ref: 00B23246
PostQuitMessage.USER32(00000000), ref: 00B23267

Strings

TaskbarCreated, xrefs: 00B2322D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: a5571c6d61786f8aa4f7ed0c713d0a542330f2fdb903a6fd85a8c19ecd730159
Instruction ID: 94ebc7e918bd613d5a6294a86a318e35c86447573e17d168697f798c57157c0b
Opcode Fuzzy Hash: a5571c6d61786f8aa4f7ed0c713d0a542330f2fdb903a6fd85a8c19ecd730159
Instruction Fuzzy Hash: 8D410631200228EBDB145F7CAD49B793AE9E705B40F0449E5F549A72A2CFBACE41D7A1

Function 00B21410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B21459
CoUninitialize.COMBASE ref: 00B214F8
UnregisterHotKey.USER32(?), ref: 00B216DD
DestroyWindow.USER32(?), ref: 00B624B9
FreeLibrary.KERNEL32(?), ref: 00B6251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B6254B

Strings

close all, xrefs: 00B21454

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 80c25935d787b358cc3eafd6874a0d6e489edfb784847f0d804a94e6a52459f3
Instruction ID: ec0cdf6c54fd41d66a6081a8a56d519e752159d02bc1facb0a07584ab5f9a09a
Opcode Fuzzy Hash: 80c25935d787b358cc3eafd6874a0d6e489edfb784847f0d804a94e6a52459f3
Instruction Fuzzy Hash: C6D139317016228FDB29EF18D899A69F7E4BF15700F2446EDE44E6B261DB34AD12CF50

Function 00B22C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B22C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B22CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B21CAD,?), ref: 00B22CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B21CAD,?), ref: 00B22CCF

Strings

edit, xrefs: 00B22CAC
AutoIt v3, xrefs: 00B22C89, 00B22C8E, 00B22C8F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 571ea84c7d4fd6432fa7b8876f646a11c42585254bbb253227dd3a7e615915e4
Instruction ID: fc048d14bc63d322a78ca033f951289c196afc9056dd694b1e0a62e4f679dce3
Opcode Fuzzy Hash: 571ea84c7d4fd6432fa7b8876f646a11c42585254bbb253227dd3a7e615915e4
Instruction Fuzzy Hash: D5F0DA76540290BBEB315B1BAC08EB72EBDD7C7F60B00085AF904A75A0CAA11850DAB8

Function 00B23B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B23B0F,SwapMouseButtons,00000004,?), ref: 00B23B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B23B0F,SwapMouseButtons,00000004,?), ref: 00B23B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00B23B0F,SwapMouseButtons,00000004,?), ref: 00B23B83

Strings

Control Panel\Mouse, xrefs: 00B23B3E

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fbc7f5389ef4c4195b0239840c30505db9f3db67e4f788f3c9b323f5be0182b0
Instruction ID: b8c780ca32694e6940fd7456456d544a1daae6eb13cf4065fc2d1381c3d369b5
Opcode Fuzzy Hash: fbc7f5389ef4c4195b0239840c30505db9f3db67e4f788f3c9b323f5be0182b0
Instruction Fuzzy Hash: 55112AB5511218FFDB21CFA5EC88AAEBBF8EF04B44B104999B809D7110D6759E409B60

Function 00B23923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B633A2

Part of subcall function 00B26B57: _wcslen.LIBCMT ref: 00B26B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B23A04

Strings

Line: , xrefs: 00B633EB

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 4b97e1355ecd63a7748b3475c9f2739a5af4e71d8726dc4cbb449b0ab9b16b56
Instruction ID: c976a8199005fff9a247ed56ec52ee0899aa752c490b4cb200b8dfccdc8c0e59
Opcode Fuzzy Hash: 4b97e1355ecd63a7748b3475c9f2739a5af4e71d8726dc4cbb449b0ab9b16b56
Instruction Fuzzy Hash: 6031E271508324AAC725EB24EC45BEBB7D8AB45B10F040EAAF59D83191DF749A48CBC6

Function 00B3FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B40668

Part of subcall function 00B432A4: RaiseException.KERNEL32(?,?,?,00B4068A,?,00BF1444,?,?,?,?,?,?,00B4068A,00B21129,00BE8738,00B21129), ref: 00B43304

__CxxThrowException@8.LIBVCRUNTIME ref: 00B40685

Strings

Unknown exception, xrefs: 00B40692

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: db4797ce34f84c9c50aa2962325e8cc3637631e6ee2e5e790ed14728dad39ba9
Instruction ID: f0847adac62ef8f3b507c5656beaeb17f21d00519867e6943b57804659491ee6
Opcode Fuzzy Hash: db4797ce34f84c9c50aa2962325e8cc3637631e6ee2e5e790ed14728dad39ba9
Instruction Fuzzy Hash: 1DF0C83490060D778B00B668D88ACAD77FC9E50310B7045F1B914955A1EF71DB25E580

Function 00B210F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B21BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B21BF4
Part of subcall function 00B21BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B21BFC
Part of subcall function 00B21BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B21C07
Part of subcall function 00B21BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B21C12
Part of subcall function 00B21BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B21C1A
Part of subcall function 00B21BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B21C22

Part of subcall function 00B21B4A: RegisterWindowMessageW.USER32(00000004,?,00B212C4), ref: 00B21BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B2136A
OleInitialize.OLE32 ref: 00B21388
CloseHandle.KERNEL32(00000000,00000000), ref: 00B624AB

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 0e768a9211086463d9cca150087b5dac704283fe917a441a2fbf1443c6cfcb5a
Instruction ID: bef8eefb809233ffe4fff5d2757778f578047447a806af2ab998e27502946210
Opcode Fuzzy Hash: 0e768a9211086463d9cca150087b5dac704283fe917a441a2fbf1443c6cfcb5a
Instruction Fuzzy Hash: 6871C9B5911204CFD384EF7EAD456B53AE4FBA87847548EAAD10ADB361EF318448CF50

Function 00B8C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B23923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B23A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B8C259
KillTimer.USER32(?,00000001,?,?), ref: 00B8C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B8C270

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 15127be3e496c4580750136a3a8756b95f2c8f343852c33407e24437aeffa0ec
Instruction ID: 9a75c31854197ddf01a983da374448a6582027ec6eac3c52b79e5374c25ea215
Opcode Fuzzy Hash: 15127be3e496c4580750136a3a8756b95f2c8f343852c33407e24437aeffa0ec
Instruction Fuzzy Hash: 2B3193B0904354AFEB62EF648895BE7BFEC9B06304F0004DAE5DAA7291C7745A84CB61

Function 00B586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00B585CC,?,00BE8CC8,0000000C), ref: 00B58704
GetLastError.KERNEL32(?,00B585CC,?,00BE8CC8,0000000C), ref: 00B5870E
__dosmaperr.LIBCMT ref: 00B58739

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: d92ad4a379466c25815da0aceb452b1494af44bb25c7f8a2db6ab3acb52145a3
Instruction ID: efc3ba7fc7926c36d37bf5da5687600b3ac1e9f68addc684023b9f2bb1aa1a49
Opcode Fuzzy Hash: d92ad4a379466c25815da0aceb452b1494af44bb25c7f8a2db6ab3acb52145a3
Instruction Fuzzy Hash: C5016B32A1526017D3707234A84577E2BC98F81777F3902D9FC09AB0E2DEB0CC89C154

Function 00B2DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00B2DB7B
DispatchMessageW.USER32(?), ref: 00B2DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B2DB9F
Sleep.KERNELBASE(0000000A), ref: 00B2DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00B71CC9

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 4207eb48865f2a47d43eb81a1381559ac7943de7a0aeac965a8db6ebfd3881f2
Instruction ID: 44c6adf7c09dbbef791393568945e23bdb20e044faf5bad580ef21ac30696db7
Opcode Fuzzy Hash: 4207eb48865f2a47d43eb81a1381559ac7943de7a0aeac965a8db6ebfd3881f2
Instruction Fuzzy Hash: 44F0DA316443449BE730CBA59C99FAA77E8EB45350F104A59E65E870D0DF7094488B25

Function 00B31310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B317F6

Strings

CALL, xrefs: 00B317C6

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 7657c77ecfd268924f28f1793269a290c8b64dd63a2827a2cc1359744c871137
Instruction ID: feb358d4131f729fb53d071c69202b4186f0e75a3b373ddc43ba7b122ffd42ed
Opcode Fuzzy Hash: 7657c77ecfd268924f28f1793269a290c8b64dd63a2827a2cc1359744c871137
Instruction Fuzzy Hash: 15228B70608201DFC714DF18C490A2ABBF5FF99314F2989ADF49A8B361D731E945CB92

Function 00B22DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00B62C8C

Part of subcall function 00B23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B23A97,?,?,00B22E7F,?,?,?,00000000), ref: 00B23AC2

Part of subcall function 00B22DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B22DC4

Strings

X, xrefs: 00B62C5A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: e0ec388c6e28d4321f4327deb0ccb2a9bd5748ffe36c1f4eb7ed6fb35b1542a2
Instruction ID: 52a1ad266e7a97767776bd3bac6db426645f8b52b8dfc762e778ab5aa6fb2daa
Opcode Fuzzy Hash: e0ec388c6e28d4321f4327deb0ccb2a9bd5748ffe36c1f4eb7ed6fb35b1542a2
Instruction Fuzzy Hash: C821D571A102A8AFDB01EF94D845BEE7BF8EF58314F004099E409F7241DBB85A498FA1

Function 00B23837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B23908

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 830859ff2f3fc70297003abdd17121f80f712c56c21ec1d506452879f2defafb
Instruction ID: 22da73de5935aa84da1ac33a8d1ce0e33240f358960275e4b03fdb9118414474
Opcode Fuzzy Hash: 830859ff2f3fc70297003abdd17121f80f712c56c21ec1d506452879f2defafb
Instruction Fuzzy Hash: 79318170604311DFD720DF24D8847A7BBE4FB49708F000D6EF59A8B250EB75AA44CB56

Function 00B3F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B3F661

Part of subcall function 00B2D730: GetInputState.USER32 ref: 00B2D807

Sleep.KERNEL32(00000000), ref: 00B7F2DE

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 1859c011fe6be7dbe679a6b93e315f07156f13adc2e5372749f2f239cbbaf060
Instruction ID: 4c519da10972c88bf4ee124bb2752723ca4cbe9289c749fdfe60cc8005be3dc3
Opcode Fuzzy Hash: 1859c011fe6be7dbe679a6b93e315f07156f13adc2e5372749f2f239cbbaf060
Instruction Fuzzy Hash: 1FF08C31240615AFD310EF69E459F6ABBE8EF59760F0041AAE85DDB261DFB0AC00CB90

Function 00B24ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B24E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B24EDD,?,00BF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B24E9C
Part of subcall function 00B24E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B24EAE
Part of subcall function 00B24E90: FreeLibrary.KERNEL32(00000000,?,?,00B24EDD,?,00BF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B24EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B24EFD

Part of subcall function 00B24E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B63CDE,?,00BF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B24E62
Part of subcall function 00B24E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B24E74
Part of subcall function 00B24E59: FreeLibrary.KERNEL32(00000000,?,?,00B63CDE,?,00BF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B24E87

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: cf75a42b0093d765db6eb258d9ab3d2a283da25f9661731846803bf687a3cf35
Instruction ID: 85b4fbb56d7efa432463659a55970706639b0fd4a0c162924952ad5806171dd6
Opcode Fuzzy Hash: cf75a42b0093d765db6eb258d9ab3d2a283da25f9661731846803bf687a3cf35
Instruction Fuzzy Hash: C2110431610215AADF24FB60ED02FED7BE4AF90B10F2044A9F54AA65C1DFB09A049B50

Function 00B58402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00B58440

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: e32a7e1cd44626ca5b9dcc6de153a5dd0bf42576d48063e8026bf04228592e92
Instruction ID: adb42359fb049a1fa3f2d8fc62a0205847a06c39d6a23ba8b8555180b4e53f3a
Opcode Fuzzy Hash: e32a7e1cd44626ca5b9dcc6de153a5dd0bf42576d48063e8026bf04228592e92
Instruction Fuzzy Hash: 4D11187590410AAFCB05DF58E941A9A7BF9EF48315F104099FC09AB312DA31DA15CBA5

Function 00B4E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: de3aebe97b30adee244ae8000785ec5cfd1f6cf1bc769b9d9e395173c466a43e
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8CF0F432511A1096C7313A799C05B5A33DCAF53336F110BE5F835A32D2CB74DA09A6A6

Function 00B53820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00BF1444,?,00B3FDF5,?,?,00B2A976,00000010,00BF1440,00B213FC,?,00B213C6,?,00B21129), ref: 00B53852

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9b79223a0c52d21de0ca42edb304ac93ccbf622728e56e53cd8c53901985390a
Instruction ID: 9ba192cfafa12085a81b5fa6c30449015acfaa3144e5162075aa128d44100b3a
Opcode Fuzzy Hash: 9b79223a0c52d21de0ca42edb304ac93ccbf622728e56e53cd8c53901985390a
Instruction Fuzzy Hash: 74E0E531100224A7D639266A9C00B9A36C8EB42FF2F1501E1BC14A3680DF51DE0993E0

Function 00B24F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00BF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B24F6D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e29f08dc85b9e2dd308faff30bf43bafd2eb1b2488767aa120f399a5e6a5bc24
Instruction ID: 906432ff66d1c468cdcb1c2e17e6c81d09d770d87e39a6cec17c6f2ba610c9ec
Opcode Fuzzy Hash: e29f08dc85b9e2dd308faff30bf43bafd2eb1b2488767aa120f399a5e6a5bc24
Instruction Fuzzy Hash: 51F03071105761CFDB349F64E590812BBE4FF5431931089BEE1EE93911C7719844DF10

Function 00BB2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BB2A66

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 327b3c5f6230baa018e4dbe1814501129cf313ce068561e8ea5ee3827b0925d2
Instruction ID: 74442a928cebc2e0fba7fe52a1ae9fe4ba6069912b5c48ee33c57811f6dc30b6
Opcode Fuzzy Hash: 327b3c5f6230baa018e4dbe1814501129cf313ce068561e8ea5ee3827b0925d2
Instruction Fuzzy Hash: 2BE04F36350116ABC714FB30DC818FA7BDCEB5039571045B6EC27D2110DF709995D6A0

Function 00B230F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B2314E

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ae639c215bbef619a033aa47631fa72f266d62df107c2bbdf57d54a43085038d
Instruction ID: afd2ae1ba99813a86fcc82ffdc3a0ab0860454873886a94ef38c6f8ffdf5ad93
Opcode Fuzzy Hash: ae639c215bbef619a033aa47631fa72f266d62df107c2bbdf57d54a43085038d
Instruction Fuzzy Hash: B1F03770914318AFEB52DF24DC46BE57BFCA701708F0005E5A548A7292DB745B88CF55

Function 00B22DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B22DC4

Part of subcall function 00B26B57: _wcslen.LIBCMT ref: 00B26B6A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 761b979ece59fbb2e6490ace875b23611d349c61f760c8a4aa857c8aa070434f
Instruction ID: a3f0f4cd9b5be824724eed5e7a01af8ce48046e331fd205e1a5ee31e22728344
Opcode Fuzzy Hash: 761b979ece59fbb2e6490ace875b23611d349c61f760c8a4aa857c8aa070434f
Instruction Fuzzy Hash: E7E0CD726001245BC720D6589C06FDA77DDDFC8790F0401B1FD09D7248D9A4AD808550

Function 00B22B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B23837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B23908

Part of subcall function 00B2D730: GetInputState.USER32 ref: 00B2D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00B22B6B

Part of subcall function 00B230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B2314E

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 08f4818982c8b2e66cd860fe9565204875399a08a16999dce519f85c6c75d121
Instruction ID: 90f9b06cb4536c205d69b0f534b66b1011568b45e3190759cfc0cf1f86cdc08a
Opcode Fuzzy Hash: 08f4818982c8b2e66cd860fe9565204875399a08a16999dce519f85c6c75d121
Instruction Fuzzy Hash: 6FE07D2230022803C704BB38B81657DB7C9DBD5751F400DFEF14E87263CF2949498362

Function 00B6039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00B60704,?,?,00000000,?,00B60704,00000000,0000000C), ref: 00B603B7

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5ca447a373052027bb751448d4d98a7283802e498c8cb45e41ca48f4ab42d715
Instruction ID: e34ae539c2aaf824077b25a35d22ec257735cebc8e303d484a46db3da2d84537
Opcode Fuzzy Hash: 5ca447a373052027bb751448d4d98a7283802e498c8cb45e41ca48f4ab42d715
Instruction Fuzzy Hash: D4D06C3204010DBBDF028F84DD06EDA3FAAFB48714F014100BE1866020C772E821AB90

Function 00B21CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00B21CBC

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 6f387bf872bb583625beadbb09cb31639811b9cedb8471e2c715a12f25f9e9c9
Instruction ID: d73284386ea1504017d8e3bb40d4158d3e21d55c938d122e0b3cb4d586d1b4b2
Opcode Fuzzy Hash: 6f387bf872bb583625beadbb09cb31639811b9cedb8471e2c715a12f25f9e9c9
Instruction Fuzzy Hash: 32C09B36280305EFF2148784BC4BF207754A358B00F044401F609575E3CBE11410D654

Non-executed Functions

Function 00BB9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00B39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B39BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00BB961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BB965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00BB969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BB96C9
SendMessageW.USER32 ref: 00BB96F2
GetKeyState.USER32(00000011), ref: 00BB978B
GetKeyState.USER32(00000009), ref: 00BB9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BB97AE
GetKeyState.USER32(00000010), ref: 00BB97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BB97E9
SendMessageW.USER32 ref: 00BB9810
SendMessageW.USER32(?,00001030,?,00BB7E95), ref: 00BB9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00BB992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00BB9941
SetCapture.USER32(?), ref: 00BB994A
ClientToScreen.USER32(?,?), ref: 00BB99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00BB99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BB99D6
ReleaseCapture.USER32 ref: 00BB99E1
GetCursorPos.USER32(?), ref: 00BB9A19
ScreenToClient.USER32(?,?), ref: 00BB9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BB9A80
SendMessageW.USER32 ref: 00BB9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BB9AEB
SendMessageW.USER32 ref: 00BB9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BB9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00BB9B4A
GetCursorPos.USER32(?), ref: 00BB9B68
ScreenToClient.USER32(?,?), ref: 00BB9B75
GetParent.USER32(?), ref: 00BB9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BB9BFA
SendMessageW.USER32 ref: 00BB9C2B
ClientToScreen.USER32(?,?), ref: 00BB9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BB9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BB9CDE
SendMessageW.USER32 ref: 00BB9D01
ClientToScreen.USER32(?,?), ref: 00BB9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00BB9D82

Part of subcall function 00B39944: GetWindowLongW.USER32(?,000000EB), ref: 00B39952

GetWindowLongW.USER32(?,000000F0), ref: 00BB9E05

Strings

F, xrefs: 00BB9D07
@GUI_DRAGID, xrefs: 00BB997D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 0c25a0e7292529e8ee843cf6f17e7ed6804bcf67729bbf7bce8189c28488025c
Instruction ID: af005785e93a0b586f2cc92caa882ea55b73abd5c2fd4da3103cd9daa2cb1585
Opcode Fuzzy Hash: 0c25a0e7292529e8ee843cf6f17e7ed6804bcf67729bbf7bce8189c28488025c
Instruction Fuzzy Hash: C4428F34204251AFD724CF28CC84EFABBE5FF49310F144A99F69A872A1DBB1E855CB51

Function 00BB4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00BB48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00BB4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00BB4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00BB494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00BB495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00BB497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00BB49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00BB49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00BB4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00BB4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00BB4A7E
IsMenu.USER32(?), ref: 00BB4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BB4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BB4B20
GetWindowLongW.USER32(?,000000F0), ref: 00BB4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00BB4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00BB4C82
wsprintfW.USER32 ref: 00BB4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BB4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00BB4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00BB4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BB4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00BB4D5A

Strings

%d/%02d/%02d, xrefs: 00BB4CA8

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: b1cd93569a4e63555cfef922b66400e46ff1999f9417ffcf5db61249af1453a2
Instruction ID: 376f6d60813bb675707d237510c7a2d73951f4891e1a721695b1f44d20b5b5dd
Opcode Fuzzy Hash: b1cd93569a4e63555cfef922b66400e46ff1999f9417ffcf5db61249af1453a2
Instruction Fuzzy Hash: 2912AE71500215ABEB258F28CC49FFE7BF8FB45710F1042A9F51AEB2A2DBB49941CB50

Function 00B3F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00B3F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B7F474
IsIconic.USER32(00000000), ref: 00B7F47D
ShowWindow.USER32(00000000,00000009), ref: 00B7F48A
SetForegroundWindow.USER32(00000000), ref: 00B7F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B7F4AA
GetCurrentThreadId.KERNEL32 ref: 00B7F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B7F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B7F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B7F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00B7F4DE
SetForegroundWindow.USER32(00000000), ref: 00B7F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B7F4F6
keybd_event.USER32(00000012,00000000), ref: 00B7F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B7F50B
keybd_event.USER32(00000012,00000000), ref: 00B7F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B7F519
keybd_event.USER32(00000012,00000000), ref: 00B7F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B7F528
keybd_event.USER32(00000012,00000000), ref: 00B7F52D
SetForegroundWindow.USER32(00000000), ref: 00B7F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00B7F557

Strings

Shell_TrayWnd, xrefs: 00B7F46F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 21a43c027c5f42653cb42dcdb5878e59422df109e117be33e0060009c8208f8a
Instruction ID: 0c1602a693806aa48a6e2309a5329e41b6c141efde36a33569e7f7247334dd67
Opcode Fuzzy Hash: 21a43c027c5f42653cb42dcdb5878e59422df109e117be33e0060009c8208f8a
Instruction Fuzzy Hash: 71319471A40219BBEB20ABB58C4AFBF7EACEB44B50F104165FA05E71D1CBF05D00AA64

Function 00B81201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00B816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B8170D
Part of subcall function 00B816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B8173A
Part of subcall function 00B816C3: GetLastError.KERNEL32 ref: 00B8174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00B81286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00B812A8
CloseHandle.KERNEL32(?), ref: 00B812B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B812D1
GetProcessWindowStation.USER32 ref: 00B812EA
SetProcessWindowStation.USER32(00000000), ref: 00B812F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B81310

Part of subcall function 00B810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B811FC), ref: 00B810D4
Part of subcall function 00B810BF: CloseHandle.KERNEL32(?,?,00B811FC), ref: 00B810E9

Strings

, xrefs: 00B8125A
winsta0, xrefs: 00B812CC
default, xrefs: 00B8130B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 31859eaef07105494c45f4738a691449d0265e9b330e5d6fb609731bd1bcce84
Instruction ID: 0ede5e92e47fdb7f3a7ff474d0fe24c1fff08e9cbfc0a6a70a00915467e44977
Opcode Fuzzy Hash: 31859eaef07105494c45f4738a691449d0265e9b330e5d6fb609731bd1bcce84
Instruction Fuzzy Hash: 22815B71901209ABDF21EFA8DC49BEE7BFDEF04704F1845A9F911B62A0DB718945CB20

Function 00B80B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B81114
Part of subcall function 00B810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B80B9B,?,?,?), ref: 00B81120
Part of subcall function 00B810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B80B9B,?,?,?), ref: 00B8112F
Part of subcall function 00B810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B80B9B,?,?,?), ref: 00B81136
Part of subcall function 00B810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B8114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B80BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B80C00
GetLengthSid.ADVAPI32(?), ref: 00B80C17
GetAce.ADVAPI32(?,00000000,?), ref: 00B80C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B80C6D
GetLengthSid.ADVAPI32(?), ref: 00B80C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B80C8C
HeapAlloc.KERNEL32(00000000), ref: 00B80C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B80CB4
CopySid.ADVAPI32(00000000), ref: 00B80CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B80CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B80D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B80D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B80D45
HeapFree.KERNEL32(00000000), ref: 00B80D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B80D55
HeapFree.KERNEL32(00000000), ref: 00B80D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B80D65
HeapFree.KERNEL32(00000000), ref: 00B80D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00B80D78
HeapFree.KERNEL32(00000000), ref: 00B80D7F

Part of subcall function 00B81193: GetProcessHeap.KERNEL32(00000008,00B80BB1,?,00000000,?,00B80BB1,?), ref: 00B811A1
Part of subcall function 00B81193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B80BB1,?), ref: 00B811A8
Part of subcall function 00B81193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B80BB1,?), ref: 00B811B7

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d0e192909b78f6929d83185a118b14daafde3cfeae8a197af3c614eda21a7087
Instruction ID: d346b04ac096bf2cbff0fac39c3738ed2d56c6d5668ff78ebced4c0a6fac1a33
Opcode Fuzzy Hash: d0e192909b78f6929d83185a118b14daafde3cfeae8a197af3c614eda21a7087
Instruction Fuzzy Hash: A4714F7291020AAFDF50EFA4DC44FAEBBB8FF04350F1446A5E915B71A1DB71A905CB60

Function 00B9EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00BBCC08), ref: 00B9EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00B9EB37
GetClipboardData.USER32(0000000D), ref: 00B9EB43
CloseClipboard.USER32 ref: 00B9EB4F
GlobalLock.KERNEL32(00000000), ref: 00B9EB87
CloseClipboard.USER32 ref: 00B9EB91
GlobalUnlock.KERNEL32(00000000), ref: 00B9EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00B9EBC9
GetClipboardData.USER32(00000001), ref: 00B9EBD1
GlobalLock.KERNEL32(00000000), ref: 00B9EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00B9EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00B9EC38
GetClipboardData.USER32(0000000F), ref: 00B9EC44
GlobalLock.KERNEL32(00000000), ref: 00B9EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00B9EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B9EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B9ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00B9ECF3
CountClipboardFormats.USER32 ref: 00B9ED14
CloseClipboard.USER32 ref: 00B9ED59

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: b019509c118d23704358dbf97fd65eb0aff599e321a5c600e83aee1e545f3979
Instruction ID: cbe1dd9736c4b70fa2d0f7870f7c2fa243be354c185f87c7bb6cc68637c994c4
Opcode Fuzzy Hash: b019509c118d23704358dbf97fd65eb0aff599e321a5c600e83aee1e545f3979
Instruction Fuzzy Hash: DF61BF35204202AFD700EF24D885F6A7BE4EF84714F1846ADF46A972A2DF71DD45CB62

Function 00B9698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B969BE
FindClose.KERNEL32(00000000), ref: 00B96A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B96A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B96A75

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00B96AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B96ADF

Strings

%02d, xrefs: 00B96C00, 00B96C0A, 00B96C5A, 00B96CAA, 00B96CFA, 00B96D4A
%4d, xrefs: 00B96BB1
%03d, xrefs: 00B96DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00B96B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00B96B32

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 307b23acf8b9ecb3a0022dca42b6d737e0b47ec7c79276e2c6fcda2168ed8490
Instruction ID: 748143a217a96c27b643b0b0aa93a73a6f1373a0a0ac302c45946486b88d121e
Opcode Fuzzy Hash: 307b23acf8b9ecb3a0022dca42b6d737e0b47ec7c79276e2c6fcda2168ed8490
Instruction Fuzzy Hash: E5D15071508310AFC710EB64D991EABB7ECAF98704F04496DF589C7191EB74DA48CB62

Function 00B99642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B99663
GetFileAttributesW.KERNEL32(?), ref: 00B996A1
SetFileAttributesW.KERNEL32(?,?), ref: 00B996BB
FindNextFileW.KERNEL32(00000000,?), ref: 00B996D3
FindClose.KERNEL32(00000000), ref: 00B996DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00B996FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00B9974A
SetCurrentDirectoryW.KERNEL32(00BE6B7C), ref: 00B99768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B99772
FindClose.KERNEL32(00000000), ref: 00B9977F
FindClose.KERNEL32(00000000), ref: 00B9978F

Strings

*.*, xrefs: 00B996F5

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 02a3af9f51bfe4238c47f941642574707eef064932c27fdffd8f849127e6ef62
Instruction ID: b3340dd0a97e8da22f640821c23c21424ab976e535b774b4e198b13f6d2b84c4
Opcode Fuzzy Hash: 02a3af9f51bfe4238c47f941642574707eef064932c27fdffd8f849127e6ef62
Instruction Fuzzy Hash: FA319F325006196BDF64EFB9DC49ADE7BECDF49320F1442AAE815E31A0DF74DE408A64

Function 00B9979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B997BE
FindNextFileW.KERNEL32(00000000,?), ref: 00B99819
FindClose.KERNEL32(00000000), ref: 00B99824
FindFirstFileW.KERNEL32(*.*,?), ref: 00B99840
SetCurrentDirectoryW.KERNEL32(?), ref: 00B99890
SetCurrentDirectoryW.KERNEL32(00BE6B7C), ref: 00B998AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B998B8
FindClose.KERNEL32(00000000), ref: 00B998C5
FindClose.KERNEL32(00000000), ref: 00B998D5

Part of subcall function 00B8DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B8DB00

Strings

*.*, xrefs: 00B9983B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: ef20e8465fe1b94db91f078bfd7252a008c4ddd0d2fa978dc5bda234a7657a98
Instruction ID: b24e73d114ec09409f9402cdea9cfd146d2fbd16725855fffff435e4a62ba020
Opcode Fuzzy Hash: ef20e8465fe1b94db91f078bfd7252a008c4ddd0d2fa978dc5bda234a7657a98
Instruction Fuzzy Hash: 8F31A2315006196FDF64EFB9DC89ADE77ECDF06360F1442EEE810A31A1DB70DA448A64

Function 00BABE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BAB6AE,?,?), ref: 00BAC9B5
Part of subcall function 00BAC998: _wcslen.LIBCMT ref: 00BAC9F1
Part of subcall function 00BAC998: _wcslen.LIBCMT ref: 00BACA68
Part of subcall function 00BAC998: _wcslen.LIBCMT ref: 00BACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BABF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00BABFA9
RegCloseKey.ADVAPI32(00000000), ref: 00BABFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BAC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BAC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BAC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BAC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00BAC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00BAC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BAC382
RegCloseKey.ADVAPI32(00000000), ref: 00BAC38F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 8fda91d29fadc9cf1e705862955777ece280898da1acf9652ac92c3f208ee990
Instruction ID: 9b3b10712b4acb3b2fc7132390546d76609d069fb20548413988eff918b37797
Opcode Fuzzy Hash: 8fda91d29fadc9cf1e705862955777ece280898da1acf9652ac92c3f208ee990
Instruction Fuzzy Hash: DC023E71608210AFD714DF28C895E2ABBE5EF49314F18C49DF84ADB2A2DB31ED45CB51

Function 00B98195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B98257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B98267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B98273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B98310
SetCurrentDirectoryW.KERNEL32(?), ref: 00B98324
SetCurrentDirectoryW.KERNEL32(?), ref: 00B98356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B9838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00B98395

Strings

*.*, xrefs: 00B9839B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: b014e8d06c27459977d98d11542a5d4b077514125d28454278894b6d4396a084
Instruction ID: 59c9e01629b7962a68066a11dd6c3a0444ba81cde034c50289a5c764fd748e6d
Opcode Fuzzy Hash: b014e8d06c27459977d98d11542a5d4b077514125d28454278894b6d4396a084
Instruction Fuzzy Hash: 29617A725083159FCB10EF64D8809AEB7E8FF89310F0489AEF999D7251DB31E945CB92

Function 00B8D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B23A97,?,?,00B22E7F,?,?,?,00000000), ref: 00B23AC2

Part of subcall function 00B8E199: GetFileAttributesW.KERNEL32(?,00B8CF95), ref: 00B8E19A

FindFirstFileW.KERNEL32(?,?), ref: 00B8D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00B8D1DD
MoveFileW.KERNEL32(?,?), ref: 00B8D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B8D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B8D237

Part of subcall function 00B8D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00B8D21C,?,?), ref: 00B8D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00B8D253
FindClose.KERNEL32(00000000), ref: 00B8D264

Strings

\*.*, xrefs: 00B8D0CD, 00B8D0D6, 00B8D0EB

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: ad2d20877b6fc8d39f1574e72a3cd7328f20c5f096f0c43991b57acb0a570e60
Instruction ID: 7c4877861248a3beb70e07ecbf21e9046beccddb4abf14becf423112e645ae59
Opcode Fuzzy Hash: ad2d20877b6fc8d39f1574e72a3cd7328f20c5f096f0c43991b57acb0a570e60
Instruction Fuzzy Hash: 36613A3180111DABCF05FFA0E9929EDBBF5AF55340F2441A6E40A771A1EB30AF09CB60

Function 00B9ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B9ED91
EmptyClipboard.USER32 ref: 00B9ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00B9EDAC
CloseClipboard.USER32 ref: 00B9EEA3

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 027509f10c073f7bf0fda8abfc6841311f7906e03127f147186d1de6392c7c3e
Instruction ID: bafeeab0e3ba54824cda442a457af2e96c65abcc15eb0d2c7f823f9455a5c7ff
Opcode Fuzzy Hash: 027509f10c073f7bf0fda8abfc6841311f7906e03127f147186d1de6392c7c3e
Instruction Fuzzy Hash: 38418E35604611AFDB10DF15E888F19BBE5FF44328F15C5A9E42A8B662CB75EC41CB90

Function 00B8E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B8170D
Part of subcall function 00B816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B8173A
Part of subcall function 00B816C3: GetLastError.KERNEL32 ref: 00B8174A

ExitWindowsEx.USER32(?,00000000), ref: 00B8E932

Strings

SeShutdownPrivilege, xrefs: 00B8E902
, xrefs: 00B8E95C
, xrefs: 00B8E920
@, xrefs: 00B8E925

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 85d7e3277378a1505c8849619c627ee1d30d4e80a8d5b254130cbe41f6d69677
Instruction ID: e245ac6d2ab45a10d45c3fad185580c42c80fddc280443bea053ea341d45f060
Opcode Fuzzy Hash: 85d7e3277378a1505c8849619c627ee1d30d4e80a8d5b254130cbe41f6d69677
Instruction Fuzzy Hash: 8501A272610211ABEB6476B89C8ABBB76DCD714751F1549A2F822E31F2DAF0DC40C3A4

Function 00BA1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00BA1276
WSAGetLastError.WSOCK32 ref: 00BA1283
bind.WSOCK32(00000000,?,00000010), ref: 00BA12BA
WSAGetLastError.WSOCK32 ref: 00BA12C5
closesocket.WSOCK32(00000000), ref: 00BA12F4
listen.WSOCK32(00000000,00000005), ref: 00BA1303
WSAGetLastError.WSOCK32 ref: 00BA130D
closesocket.WSOCK32(00000000), ref: 00BA133C

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: d9065a807a5b817fa83f9b103acca3d41ce501206f1b6128d48cc7cdc2776233
Instruction ID: 40b7325afe110126bcbf67eb104beb8356d0fdf02f826c028f72ebaf4e9e433c
Opcode Fuzzy Hash: d9065a807a5b817fa83f9b103acca3d41ce501206f1b6128d48cc7cdc2776233
Instruction Fuzzy Hash: 0C419131604210AFD710DF28D888B29BBE5EF46318F1885C8E85A9F2D2C771EC85CBE1

Function 00B8D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B23A97,?,?,00B22E7F,?,?,?,00000000), ref: 00B23AC2

Part of subcall function 00B8E199: GetFileAttributesW.KERNEL32(?,00B8CF95), ref: 00B8E19A

FindFirstFileW.KERNEL32(?,?), ref: 00B8D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B8D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B8D481
FindClose.KERNEL32(00000000), ref: 00B8D498
FindClose.KERNEL32(00000000), ref: 00B8D4A1

Strings

\*.*, xrefs: 00B8D3F2

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 321ebf453847755a2b7108c6ccba4a5a1d8482120f0603f5a663565e784fc8fc
Instruction ID: 4c0e551da074e4e21a75634fba70d1b19d6609d1e2d9a22dd09b5f5e429b96bf
Opcode Fuzzy Hash: 321ebf453847755a2b7108c6ccba4a5a1d8482120f0603f5a663565e784fc8fc
Instruction Fuzzy Hash: 3E316F310183559FC204FF64D8918AF77E8BE95710F484E9EF4D9531A1EB30AA09CB62

Function 00B5E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B5E645

Strings

1#QNAN, xrefs: 00B5F84B
1#INF, xrefs: 00B5F852
1#IND, xrefs: 00B5F83D
1#SNAN, xrefs: 00B5F844

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1577e24ff1d3a08724864266b0bae5ccbc5ad254e8cd91d4916c5146146a498d
Instruction ID: 11b73c24dfa965cf7ab6d869ff6bae9a37689f8577f333562ddd814992eb8506
Opcode Fuzzy Hash: 1577e24ff1d3a08724864266b0bae5ccbc5ad254e8cd91d4916c5146146a498d
Instruction Fuzzy Hash: 83C23B71E046298FDB69CE28DD407EAB7F5EB48306F1441EAD85DE7240E774AE898F40

Function 00B9648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B964DC
CoInitialize.OLE32(00000000), ref: 00B96639
CoCreateInstance.OLE32(00BBFCF8,00000000,00000001,00BBFB68,?), ref: 00B96650
CoUninitialize.OLE32 ref: 00B968D4

Strings

.lnk, xrefs: 00B964BA, 00B96524, 00B965E0

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 531a34edeed7a90b468c29bb7579d3ed1f825592f1e60897a5a505c8e0a99c9d
Instruction ID: 67b798a2b7b38fa6bd57985672204b34f5ec4e8f7af4e5ec5468faa114696778
Opcode Fuzzy Hash: 531a34edeed7a90b468c29bb7579d3ed1f825592f1e60897a5a505c8e0a99c9d
Instruction Fuzzy Hash: 73D15C71508215AFC704EF24D891D6BB7E9FF98704F0049ADF5998B2A1DB70ED09CBA2

Function 00BA22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00BA22E8

Part of subcall function 00B9E4EC: GetWindowRect.USER32(?,?), ref: 00B9E504

GetDesktopWindow.USER32 ref: 00BA2312
GetWindowRect.USER32(00000000), ref: 00BA2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00BA2355
GetCursorPos.USER32(?), ref: 00BA2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BA23DF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 103f578ff4b33d422e3adfb41556d9a6fa4604ac5550863ba1fbc09613d81b67
Instruction ID: 145becf000af9f2ce56e784563008f08ec071a5b4c72689c91c9e5543b055c3a
Opcode Fuzzy Hash: 103f578ff4b33d422e3adfb41556d9a6fa4604ac5550863ba1fbc09613d81b67
Instruction Fuzzy Hash: 4731E272508315AFCB20DF18D845F5BBBE9FF86310F000A59F99597191DB74EA08CB96

Function 00B99B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00B99B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B99C8B

Part of subcall function 00B93874: GetInputState.USER32 ref: 00B938CB
Part of subcall function 00B93874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B93966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B99BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B99C75

Strings

*.*, xrefs: 00B99B5D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 074d105939c1b8bd457c1d16ad3b9b8c4462fa1cc8adce6bf7841fa0486660fc
Instruction ID: 6ab50fd2982d59f8b15f234bdaa1e319943002bc00e960f7450f3afa4ab5041b
Opcode Fuzzy Hash: 074d105939c1b8bd457c1d16ad3b9b8c4462fa1cc8adce6bf7841fa0486660fc
Instruction Fuzzy Hash: 4F41827190060AAFCF54DF68DC85AEEBBF8EF05310F2441AAE409A3191EB709E44CF60

Function 00B3997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00B39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B39BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00B39A4E
GetSysColor.USER32(0000000F), ref: 00B39B23
SetBkColor.GDI32(?,00000000), ref: 00B39B36

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 6a3134b8550a89107dc9508b50f81002abd3ce4ff65d96019da0708c041e52d5
Instruction ID: 2e36dc3d6b73a9ac6cf75619cc4cac21bc4f9460d4d56f50ec5f24e055a34baa
Opcode Fuzzy Hash: 6a3134b8550a89107dc9508b50f81002abd3ce4ff65d96019da0708c041e52d5
Instruction Fuzzy Hash: 59A10371248404EFE728AA2D8C99EBB3ADDDB42340F3587C9F122D7695CEA5DD01C272

Function 00BA1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BA307A
Part of subcall function 00BA304E: _wcslen.LIBCMT ref: 00BA309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00BA185D
WSAGetLastError.WSOCK32 ref: 00BA1884
bind.WSOCK32(00000000,?,00000010), ref: 00BA18DB
WSAGetLastError.WSOCK32 ref: 00BA18E6
closesocket.WSOCK32(00000000), ref: 00BA1915

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 08c615378af04afa33d5e0f3975aaea01a03a26c4371466440cd98c74dd22991
Instruction ID: b7909708365ffe09b1d073135872cf6b16223276e17fe6dd74fa7a2adb05154d
Opcode Fuzzy Hash: 08c615378af04afa33d5e0f3975aaea01a03a26c4371466440cd98c74dd22991
Instruction Fuzzy Hash: 2251B171A00210AFDB10EF24D896F6A7BE5EF49718F148498F9096F383CB75AD418BA1

Function 00BB1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00BB1CC0
IsWindowEnabled.USER32 ref: 00BB1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00BB1CDB
IsIconic.USER32 ref: 00BB1CE9
IsZoomed.USER32 ref: 00BB1CF7

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a3c86f66d2b76e425ee961bee48d02823147f8811fda03ff46ab9e927bf44b81
Instruction ID: e0488cb0408b853640c7af4a38c74a9c3560fe52aa909dff5e197b89d96c0bb1
Opcode Fuzzy Hash: a3c86f66d2b76e425ee961bee48d02823147f8811fda03ff46ab9e927bf44b81
Instruction Fuzzy Hash: 002191317402115FD7208F1ED8A4BBA7FE5EF95314B5984A8E84ACB351CBB1ED42CB90

Function 00B28060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00B2813C
VUUU, xrefs: 00B2843C
VUUU, xrefs: 00B65DF0
VUUU, xrefs: 00B283FA
VUUU, xrefs: 00B283E8

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 553c185d8abdbcd14d471612eab074838fe84674d1d0e49e10e6b19717c46502
Instruction ID: bbc73eb1ba92e47f14b2d9d7d050fc4766219801622b1a3d049d270bf7863b1d
Opcode Fuzzy Hash: 553c185d8abdbcd14d471612eab074838fe84674d1d0e49e10e6b19717c46502
Instruction Fuzzy Hash: BEA25D71E0162ACBDF24CF58D8907ADB7F1FB54310F2481EAE819A7285DB789D91CB90

Function 00B8AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00B8AAAC
SetKeyboardState.USER32(00000080), ref: 00B8AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00B8AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00B8AB88

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 241cf957108e22e64ac6f8f21a157ce8d70560e6db44ffd76154f677bd5ba310
Instruction ID: 1cfc0ac1b256fdf74183ac3fc12fa4681c7921940844f7c6a645dff65e0b7896
Opcode Fuzzy Hash: 241cf957108e22e64ac6f8f21a157ce8d70560e6db44ffd76154f677bd5ba310
Instruction Fuzzy Hash: 9131F430A40248AFFF35EA64CC45BFA7BE6EB44320F08429BF581965F1D7B58985C762

Function 00B5BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B5BB7F

Part of subcall function 00B529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5D7D1,00000000,00000000,00000000,00000000,?,00B5D7F8,00000000,00000007,00000000,?,00B5DBF5,00000000), ref: 00B529DE
Part of subcall function 00B529C8: GetLastError.KERNEL32(00000000,?,00B5D7D1,00000000,00000000,00000000,00000000,?,00B5D7F8,00000000,00000007,00000000,?,00B5DBF5,00000000,00000000), ref: 00B529F0

GetTimeZoneInformation.KERNEL32 ref: 00B5BB91
WideCharToMultiByte.KERNEL32(00000000,?,00BF121C,000000FF,?,0000003F,?,?), ref: 00B5BC09
WideCharToMultiByte.KERNEL32(00000000,?,00BF1270,000000FF,?,0000003F,?,?,?,00BF121C,000000FF,?,0000003F,?,?), ref: 00B5BC36

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 05a1a6d9ecd590cbefd2bcedd3f1900225056b43aa74cf8afd9df2bc5b7fceb2
Instruction ID: 8eb74447601060a4b56681a8e89278d5d060423f4d46ab4bc32d7a2a98242883
Opcode Fuzzy Hash: 05a1a6d9ecd590cbefd2bcedd3f1900225056b43aa74cf8afd9df2bc5b7fceb2
Instruction Fuzzy Hash: 23319C71904205DFCB15DFAD9C80E79BBF8FF463117144AEAE860E72A1DB709908CB54

Function 00B9CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00B9CE89
GetLastError.KERNEL32(?,00000000), ref: 00B9CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00B9CEFE

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: bf03075ceecfb0834a89dba3dbe9fd88e6683ed324a3ed66dcaeece18326eafc
Instruction ID: ef33a67f0d2462d4b7993d2f7ffd195fa9cd4767ee5e1ee2a55a1dfaa1355c0d
Opcode Fuzzy Hash: bf03075ceecfb0834a89dba3dbe9fd88e6683ed324a3ed66dcaeece18326eafc
Instruction Fuzzy Hash: 30219D71500B05ABDB20DF65C988BA67FF8EB50354F1044AEE546D3151EB70EE089B64

Function 00B88298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B882AA

Strings

|, xrefs: 00B882DA
(, xrefs: 00B882F0

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: dbc08932b67b4390c33985f68f586422e20aa6340af7220f06400a4a335c73e2
Instruction ID: 48a53d6c88df9233f1288e5e79832fc703fa5128ae6d03ce3f08c0ee77d3fea2
Opcode Fuzzy Hash: dbc08932b67b4390c33985f68f586422e20aa6340af7220f06400a4a335c73e2
Instruction Fuzzy Hash: 46324475A00605DFCB28DF59C480A6AB7F0FF48710B55C5AEE49ADB3A1EB70E981CB44

Function 00B95C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B95CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00B95D17
FindClose.KERNEL32(?), ref: 00B95D5F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: d557f3cf928ab3c4681cc19abfc1b4deccaa038dc8a96d54d4eb70822ed0ba6d
Instruction ID: aef65df147c1709c65de8eff1fff73564daeca332929a47b9ed01bcb8f13bb8d
Opcode Fuzzy Hash: d557f3cf928ab3c4681cc19abfc1b4deccaa038dc8a96d54d4eb70822ed0ba6d
Instruction Fuzzy Hash: 31518D746046019FCB25DF28D494E9ABBE4FF49314F1485ADE95A8B3A2CB30ED44CB91

Function 00B52622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00B5271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B52724
UnhandledExceptionFilter.KERNEL32(?), ref: 00B52731

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 394cf28a76a4cac85ce468dcfd11f676e0cd83530bc7a32cca06ffd781a6befe
Instruction ID: 7e26614a8c0b0db33cfe03ed89e00ae243fa11512b0494eea1772330d4755477
Opcode Fuzzy Hash: 394cf28a76a4cac85ce468dcfd11f676e0cd83530bc7a32cca06ffd781a6befe
Instruction Fuzzy Hash: D731B7759112189BCB21DF64DC8979DBBF8EF08310F5041EAE81CA7261EB709F859F45

Function 00B951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B951DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B95238
SetErrorMode.KERNEL32(00000000), ref: 00B952A1

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c2bf7e4574dc48f28c3f09996bfd39060157086e8fee3f2ec2e616d60a9c64f3
Instruction ID: 29d3d6aff6559538fc7f91906c3c0822067f647b8bbd3744e364db84b81ff020
Opcode Fuzzy Hash: c2bf7e4574dc48f28c3f09996bfd39060157086e8fee3f2ec2e616d60a9c64f3
Instruction Fuzzy Hash: 65313E75A00518DFDB00DF54D894EADBBF4FF49314F0880A9E809AB3A2DB71E855CB91

Function 00B816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B3FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B40668
Part of subcall function 00B3FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B40685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B8170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B8173A
GetLastError.KERNEL32 ref: 00B8174A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 2ddd31897332ae326e25b1ca5aec6b6a200274e2d29197ebf9c717f7b547f228
Instruction ID: f247bf0d1bf7e21509c4f1e7ac3653c795d538e53f44c1cd1de34facd00b1c52
Opcode Fuzzy Hash: 2ddd31897332ae326e25b1ca5aec6b6a200274e2d29197ebf9c717f7b547f228
Instruction Fuzzy Hash: 6C118CB2904205AFD718AF58DC8AD6ABBFDEB44714B20856EF05657251EB70BC42CB24

Function 00B8D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B8D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00B8D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B8D650

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: e95e6d8b37aa3b6e863b5d6a9f247cd8b983ffe6867094c36c71c0cc44391f68
Instruction ID: 502c5f747e956470dd4cfd0260eb6d841e52439e36b910b22a27fcbc3b811db8
Opcode Fuzzy Hash: e95e6d8b37aa3b6e863b5d6a9f247cd8b983ffe6867094c36c71c0cc44391f68
Instruction Fuzzy Hash: 1A113C75E05228BBDB109F99EC45FAFBFBCEB45B50F108166F904E7290D6B04A058BA1

Function 00B81663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B8168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B816A1
FreeSid.ADVAPI32(?), ref: 00B816B1

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1725947790b02b37390af36b18dcb454e0b5e593dddffc5fd43b3bba02390955
Instruction ID: ad8001445ee8b1a6215a5b30da605d510c4be5fb9912a69fdf9e6e8c7de12df1
Opcode Fuzzy Hash: 1725947790b02b37390af36b18dcb454e0b5e593dddffc5fd43b3bba02390955
Instruction Fuzzy Hash: FCF0F471950309FBDB00EFE4DC89AAEBBBCFB08604F5049A5E501E2191E774AA448B60

Function 00B7D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B7D28C

Strings

X64, xrefs: 00B7D2A8

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 76efa0f106199213679e380cf974c6e14ff2cc35bfcfd0b58a2ab3840650896f
Instruction ID: ee634224b830b4dce074605121a34bf98f791ff2f8f9cb334518611d3f560f6b
Opcode Fuzzy Hash: 76efa0f106199213679e380cf974c6e14ff2cc35bfcfd0b58a2ab3840650896f
Instruction Fuzzy Hash: 5DD0CAB480512DEBCB94DBA0ECC8DDEB7BCBB04345F204292F50AA2000DB7096498F20

Function 00B4CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 1fc3f835f4b82a803b7b7f8ef2f272b91fbe9378ad6efe996f8c8de493d80c8d
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B3024D72E012199FDF54CFA9C8806ADFBF1EF48714F2581AAD819E7381D730AE459B84

Function 00B968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B96918
FindClose.KERNEL32(00000000), ref: 00B96961

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 4070b6b62afd33d033e3e06c5b7c0de8e333adf040a6c9a9350143032e06bcc9
Instruction ID: 99e1ad7eed6ac3945cae4ec417694071e5ec7c98ba7b4a398123ceaaac890eae
Opcode Fuzzy Hash: 4070b6b62afd33d033e3e06c5b7c0de8e333adf040a6c9a9350143032e06bcc9
Instruction Fuzzy Hash: F21193316042109FCB10DF29D484A16BBE5FF89328F14C6A9E4698F6A2CB30EC05CB91

Function 00B937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00BA4891,?,?,00000035,?), ref: 00B937E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00BA4891,?,?,00000035,?), ref: 00B937F4

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6cc96c68236aa614fd09e10a28040d81938d6fdfa5f492e52ff7603385105b4f
Instruction ID: 855f70efa21cae6a04656784b38bbe7c7fb3b6f152b2ff43214ebd4921b05678
Opcode Fuzzy Hash: 6cc96c68236aa614fd09e10a28040d81938d6fdfa5f492e52ff7603385105b4f
Instruction Fuzzy Hash: 10F0E5B06042286BEB2057A69C4DFEB3EEEEFC4B61F0002B5F509D3291D9A09D44C6B1

Function 00B8B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00B8B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00B8B270

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: dbca1398d060df2b2b3c60c5c4331884c447bab56832b8f288727804a7e60472
Instruction ID: 18667a4040eb079b1fea5852739119c3652a740259193e685f950683ffd55d94
Opcode Fuzzy Hash: dbca1398d060df2b2b3c60c5c4331884c447bab56832b8f288727804a7e60472
Instruction Fuzzy Hash: 82F01D7180424DABDB15DFA5C806BEE7FB4FF04305F008059F965A61A1C7799611DF94

Function 00B810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B811FC), ref: 00B810D4
CloseHandle.KERNEL32(?,?,00B811FC), ref: 00B810E9

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 0d0dbf8ca30eaa62e3a43329e2678176d0323a8e92987b1bbc15f13f0e3ea08d
Instruction ID: 9924b1defda22a253c9d23548c043d6e376ef4bcf5629701aaf2f3ada9fd59eb
Opcode Fuzzy Hash: 0d0dbf8ca30eaa62e3a43329e2678176d0323a8e92987b1bbc15f13f0e3ea08d
Instruction Fuzzy Hash: 8EE04F32408611AFE7256B11FC09E737BE9EB04310F20896DF4A5814B1DBA2AC90DB14

Function 00B2CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00B70C40

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: c2a4d85fac8b42142dd1a235284b825750e3281bfc254709b462d9f7be02db09
Instruction ID: 730db961e48bf99251b92906626f385b8864ecab173032a2088d6e81b3592bd7
Opcode Fuzzy Hash: c2a4d85fac8b42142dd1a235284b825750e3281bfc254709b462d9f7be02db09
Instruction Fuzzy Hash: C0327F70910228DBCF14EF94E985AEDBBF5FF05344F2080AAE81EAB291D775AD45CB50

Function 00B5676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B56766,?,?,00000008,?,?,00B5FEFE,00000000), ref: 00B56998

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1269b93e372a4ee88b9464a0c62ab8a60c7d8f731d96fdd187afc07699ce52fb
Instruction ID: 1b14549a52565281538b74bb92b96c8edd9f7378d5df9b2f681b679f4ae036a0
Opcode Fuzzy Hash: 1269b93e372a4ee88b9464a0c62ab8a60c7d8f731d96fdd187afc07699ce52fb
Instruction Fuzzy Hash: FFB15B316106089FD715CF28C48AB647BE0FF09366F6586D9EC99CF2A2C335E989CB40

Function 00B3B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00B7851F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 58575aa5f36b2caa3a60d1eeabdae008ad167f8bff034c76a77d3249091d4cf4
Instruction ID: 797925a3acc81f7494c019d034c0347d4c8dccdd9a521ec6791e1140b8ce3295
Opcode Fuzzy Hash: 58575aa5f36b2caa3a60d1eeabdae008ad167f8bff034c76a77d3249091d4cf4
Instruction Fuzzy Hash: 8C125E71D002299FCB14CF58C881AEEB7F5FF48710F25819AE959EB255EB309A81CF94

Function 00B9EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00B9EABD

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: bc042b697d28d73faff31d197015c4766d81ba48f3003e3135beb8fea4989ca3
Instruction ID: 7a6a5656072310ac384749cf6ac498a0976b6f5291748020a9331d7765c297f6
Opcode Fuzzy Hash: bc042b697d28d73faff31d197015c4766d81ba48f3003e3135beb8fea4989ca3
Instruction Fuzzy Hash: 2DE048312102149FD710DF69D444E9AFBD9EF58760F048466FC49C7361DB70E8418B90

Function 00B409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00B403EE), ref: 00B409DA

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 28006d56e54640c373b340ba6dddd613767133c6fb43e8b9b5c7d14794d4d6ab
Instruction ID: ffdfa32a5604200cf114ae2c5cc21182c8aefdd0644766b1967b565eddd868c2
Opcode Fuzzy Hash: 28006d56e54640c373b340ba6dddd613767133c6fb43e8b9b5c7d14794d4d6ab
Instruction Fuzzy Hash:

Function 00B4781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00B4798B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 6e4f694ad96c0a5776923bffef377681e6d58bacb9e9c807726b14affb52ea31
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 775156716CC6496BDF38856A889EBBE23D9DB12300F1809CAD886D7282CF15DF05F356

Function 00B56DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60212ef307b8ad53ec0c8b093180f7e2461a080855dbc2718f80a225512e95b
Instruction ID: 369bc2b80b2fc4949de7156d00f671d1cd848d90efa61866f5dd749670237b22
Opcode Fuzzy Hash: f60212ef307b8ad53ec0c8b093180f7e2461a080855dbc2718f80a225512e95b
Instruction Fuzzy Hash: A5320421E69F014DD7239634E8223356689EFBB3C6F15D777EC1AB6AA5EF29C4834100

Function 00B3CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d3f281b26db630c7af630732a8020134b79d8c4f357ad1a610e705ff0d30ee
Instruction ID: 0f54377ec71c888d1428b9ad6d04e967282773f395ab6f8c8f2b7c52c92fd2ad
Opcode Fuzzy Hash: 74d3f281b26db630c7af630732a8020134b79d8c4f357ad1a610e705ff0d30ee
Instruction Fuzzy Hash: DB32E231A041598BCF28CE68C4D467D7FE1EB45300F68C5EED86EAB296D630DD82DB81

Function 00B27920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1fc161417a0d37791833fa1f209df1df7efb3b0942c1009743fe36ffd10255
Instruction ID: 972d4c7d542ed63b34f17b036ad34f0a8e1c90062b0f07c3d8ce901088dbe4d2
Opcode Fuzzy Hash: 1f1fc161417a0d37791833fa1f209df1df7efb3b0942c1009743fe36ffd10255
Instruction Fuzzy Hash: 1A22D370E0061ADFDF14CF65D885AAEB3F5FF48300F2045A9E81AA7291EB399D14CB54

Function 00B291C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e5693edeb241a64f6307e5df576f5c678c1f8e8c6fd8e69f2f9c9f717112d1
Instruction ID: 76800ab715723dd020a15afe37aea2f5be44d835e1d701360ee022e4d2fe37a8
Opcode Fuzzy Hash: 08e5693edeb241a64f6307e5df576f5c678c1f8e8c6fd8e69f2f9c9f717112d1
Instruction Fuzzy Hash: 0002A8B1E00216EFDB04DF54D881AADB7F1FF44304F2081A9E81A9B291EB35EA55CB95

Function 00B59EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efdaddfce9dd994dceade10d3e1ec46585f9580bec6dd7705180be71c200a9fb
Instruction ID: 2ea15e6d071701950db942325d5c138b8e4459e71801df2d24d653c2bfcad77d
Opcode Fuzzy Hash: efdaddfce9dd994dceade10d3e1ec46585f9580bec6dd7705180be71c200a9fb
Instruction Fuzzy Hash: 1DB1F220E2AF804DC22396398831336B69CAFFB6D5F91D31BFC2675D22EF2685834144

Function 00B41C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 32afe47d733adbf7836ade6e85e0bc6dbeb85a54d624d5185c4218c95c1491b6
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 03915672A490A349DB29463D857403DFFE1DA523A131A0BEDD4F2CA1C5EE249B95F620

Function 00B41F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: d4d9eee6c6d99d26acf56115bef9d269f618cf6053fe501fe2e3b2f237841636
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: AE9164726090A349DB29433D857403EFFE19A923A135A07DDE4F2DB1C5EE24CB99F620

Function 00B419B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: e85fc5fe6f4aff6e79eab46ee5855de12b2a0cb04940d576fd8f33ec74fe3cbe
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: FF912372A090E34ADB69467E857403DFFE1DA923A131A0BDDD4F2CA1C1FE248795B620

Function 00B47A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482feeac5e635b9be446ec41fe3497d3169ef0ed98e90ea541e7313fa42a1c6e
Instruction ID: 328b8d241296d525c821c94ea32fc5bfb05c70513981a536ac2f69d8de981ca5
Opcode Fuzzy Hash: 482feeac5e635b9be446ec41fe3497d3169ef0ed98e90ea541e7313fa42a1c6e
Instruction Fuzzy Hash: 866168716C874966DE349A288DF5BBE23D4DF41700F1009DAE982DB282DF119F42F356

Function 00B47CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4334c6be7d557114fcde704ff16b13ca74ca2381889398ae3d546c635c4132
Instruction ID: 76831f4dc471c42d523ca4fb53dd7752abe1d02a66a9f24974f1153cf615b65f
Opcode Fuzzy Hash: ed4334c6be7d557114fcde704ff16b13ca74ca2381889398ae3d546c635c4132
Instruction Fuzzy Hash: 9F617CB1AE874967DE3899284895BBE23C8DF46704F100AE9E942DB281DF129F42F255

Function 00B41706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 6597abf6e756c30ca38f20518f9254492a8d28c26d61d1471bfdcae0129f73ea
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 84816672A090E349DB6D467D857443EFFE19A923A131A0BDDD4F2CA1C1EE249B94F620

Function 00B92046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1065ff3512d9db9bcae395b71254cdfb9743698e4df7064e1fb83414dd9fa2
Instruction ID: d7b897c43f93068673b9582d10c594d676785f34adccdd044d7d0a660e525c27
Opcode Fuzzy Hash: 0c1065ff3512d9db9bcae395b71254cdfb9743698e4df7064e1fb83414dd9fa2
Instruction Fuzzy Hash: F321B7326206159BDB28CF79C82367E73E5E754320F15866EE4A7C37D1DE35A904CB80

Function 00BA2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BA2B30
DeleteObject.GDI32(00000000), ref: 00BA2B43
DestroyWindow.USER32 ref: 00BA2B52
GetDesktopWindow.USER32 ref: 00BA2B6D
GetWindowRect.USER32(00000000), ref: 00BA2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00BA2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00BA2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA2CF8
GetClientRect.USER32(00000000,?), ref: 00BA2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00BA2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA2D80
GlobalLock.KERNEL32(00000000), ref: 00BA2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA2D98
GlobalUnlock.KERNEL32(00000000), ref: 00BA2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA2DA8
GlobalFree.KERNEL32(00000000), ref: 00BA2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BBFC38,00000000), ref: 00BA2DDB
GlobalFree.KERNEL32(00000000), ref: 00BA2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00BA2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00BA2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA303F

Strings

, xrefs: 00BA2FC5
static, xrefs: 00BA2D3A, 00BA2E91
AutoIt v3, xrefs: 00BA2CF2
DISPLAY, xrefs: 00BA2EA2

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8e566e33866e7d4261111d61ae6501fac628c6bcfa26b89bc43100dcbf58bef2
Instruction ID: 9112aebc2df10c61f2628dd7e0b185869e33379446ae150722e1fcc871d37c78
Opcode Fuzzy Hash: 8e566e33866e7d4261111d61ae6501fac628c6bcfa26b89bc43100dcbf58bef2
Instruction Fuzzy Hash: 10025A71900215EFDB14DF68DC89EAE7BB9EF49710F048698F915AB2A1DB70ED01CB60

Function 00BB70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00BB712F
GetSysColorBrush.USER32(0000000F), ref: 00BB7160
GetSysColor.USER32(0000000F), ref: 00BB716C
SetBkColor.GDI32(?,000000FF), ref: 00BB7186
SelectObject.GDI32(?,?), ref: 00BB7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00BB71C0
GetSysColor.USER32(00000010), ref: 00BB71C8
CreateSolidBrush.GDI32(00000000), ref: 00BB71CF
FrameRect.USER32(?,?,00000000), ref: 00BB71DE
DeleteObject.GDI32(00000000), ref: 00BB71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00BB7230
FillRect.USER32(?,?,?), ref: 00BB7262
GetWindowLongW.USER32(?,000000F0), ref: 00BB7284

Part of subcall function 00BB73E8: GetSysColor.USER32(00000012), ref: 00BB7421
Part of subcall function 00BB73E8: SetTextColor.GDI32(?,?), ref: 00BB7425
Part of subcall function 00BB73E8: GetSysColorBrush.USER32(0000000F), ref: 00BB743B
Part of subcall function 00BB73E8: GetSysColor.USER32(0000000F), ref: 00BB7446
Part of subcall function 00BB73E8: GetSysColor.USER32(00000011), ref: 00BB7463
Part of subcall function 00BB73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BB7471
Part of subcall function 00BB73E8: SelectObject.GDI32(?,00000000), ref: 00BB7482
Part of subcall function 00BB73E8: SetBkColor.GDI32(?,00000000), ref: 00BB748B
Part of subcall function 00BB73E8: SelectObject.GDI32(?,?), ref: 00BB7498
Part of subcall function 00BB73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00BB74B7
Part of subcall function 00BB73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BB74CE
Part of subcall function 00BB73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00BB74DB

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 4dbaf7ca43ec950aa4d84589df8a7c22b542275941053f203e9fe6c8c5a635d3
Instruction ID: 090db5a996a535e308ade3314fde68eee1dec8a8d66fecb3b758fe3cafac555c
Opcode Fuzzy Hash: 4dbaf7ca43ec950aa4d84589df8a7c22b542275941053f203e9fe6c8c5a635d3
Instruction Fuzzy Hash: 00A17371008701AFD711DF64DC49EAB7BE9FB89320F100B19F9A2A71A1DBB1D945CB61

Function 00B38D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00B38E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B76AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B76AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B76F43

Part of subcall function 00B38F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B38BE8,?,00000000,?,?,?,?,00B38BBA,00000000,?), ref: 00B38FC5

SendMessageW.USER32(?,00001053), ref: 00B76F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B76F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B76FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B76FB7

Strings

0, xrefs: 00B76DCF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: d47e73e1cd93ba85f6f3df818a4d895f6cbab17669915ac6eb9b3a3e68b9f558
Instruction ID: 51fb93d3d04e9e7affe5a4ad287b20feb5615c9839f0472d263af0f6afaf1f0e
Opcode Fuzzy Hash: d47e73e1cd93ba85f6f3df818a4d895f6cbab17669915ac6eb9b3a3e68b9f558
Instruction Fuzzy Hash: 2F128E30204611EFDB25CF28C894BB5BBE5FB55300F2489A9F4A9CB661CB71EC52DB91

Function 00BA2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00BA273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BA286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00BA28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00BA28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00BA2900
GetClientRect.USER32(00000000,?), ref: 00BA290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00BA2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BA2964
GetStockObject.GDI32(00000011), ref: 00BA2974
SelectObject.GDI32(00000000,00000000), ref: 00BA2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00BA2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BA2991
DeleteDC.GDI32(00000000), ref: 00BA299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BA29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00BA29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00BA2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BA2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00BA2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00BA2A77
GetStockObject.GDI32(00000011), ref: 00BA2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BA2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00BA2A97

Strings

msctls_progress32, xrefs: 00BA2A13
static, xrefs: 00BA294F, 00BA2A71
AutoIt v3, xrefs: 00BA28F8
DISPLAY, xrefs: 00BA295A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 8b2c4f215ab4f5ce018ad9296ce5985f1c1f63aa1e682c1b9974b6fe51e961ba
Instruction ID: 7b079cefd4fde309dafe1ec9dbbcfb52b285d5eb542a9eec5c59945b5d08434e
Opcode Fuzzy Hash: 8b2c4f215ab4f5ce018ad9296ce5985f1c1f63aa1e682c1b9974b6fe51e961ba
Instruction Fuzzy Hash: 17B15B71A00215BFEB14DF68DC49FAE7BB9EB09710F004654F915EB2A0DBB4AD40CBA4

Function 00B94ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B94AED
GetDriveTypeW.KERNEL32(?,00BBCB68,?,\\.\,00BBCC08), ref: 00B94BCA
SetErrorMode.KERNEL32(00000000,00BBCB68,?,\\.\,00BBCC08), ref: 00B94D36

Strings

Fixed, xrefs: 00B94C09
Fibre, xrefs: 00B94CAD
CDROM, xrefs: 00B94BFB
SAS, xrefs: 00B94CC9
1394, xrefs: 00B94C9F
Removable, xrefs: 00B94C10, 00B94C15
PhysicalDrive, xrefs: 00B94B76
Network, xrefs: 00B94C02
MMC, xrefs: 00B94CDE
\\.\, xrefs: 00B94B3F
FileBackedVirtual, xrefs: 00B94CEC
SSA, xrefs: 00B94CA6
USB, xrefs: 00B94CB4
ATAPI, xrefs: 00B94C91
SATA, xrefs: 00B94CD0
RAMDisk, xrefs: 00B94BF4
Unknown, xrefs: 00B94BED, 00B94C83
SSD, xrefs: 00B94C4A
iSCSI, xrefs: 00B94CC2
Virtual, xrefs: 00B94CE5
ATA, xrefs: 00B94C98
RAID, xrefs: 00B94CBB
SCSI, xrefs: 00B94C8A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 83ae692fc4007dc38c8b0004892d8829129de500bff7f2c1e6dad692df63e4a7
Instruction ID: c5067ec6f7c180c8111cae4d0931759527f7f603f2a63f3e89fdbbce4b4ca474
Opcode Fuzzy Hash: 83ae692fc4007dc38c8b0004892d8829129de500bff7f2c1e6dad692df63e4a7
Instruction Fuzzy Hash: 1E618D30605149AFCF04DF25CA81D69B7F0EF19384B3485F6E80AAB2A1DB65ED42DB41

Function 00BB73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00BB7421
SetTextColor.GDI32(?,?), ref: 00BB7425
GetSysColorBrush.USER32(0000000F), ref: 00BB743B
GetSysColor.USER32(0000000F), ref: 00BB7446
CreateSolidBrush.GDI32(?), ref: 00BB744B
GetSysColor.USER32(00000011), ref: 00BB7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BB7471
SelectObject.GDI32(?,00000000), ref: 00BB7482
SetBkColor.GDI32(?,00000000), ref: 00BB748B
SelectObject.GDI32(?,?), ref: 00BB7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00BB74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BB74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00BB74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BB752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00BB7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00BB7572
DrawFocusRect.USER32(?,?), ref: 00BB757D
GetSysColor.USER32(00000011), ref: 00BB758E
SetTextColor.GDI32(?,00000000), ref: 00BB7596
DrawTextW.USER32(?,00BB70F5,000000FF,?,00000000), ref: 00BB75A8
SelectObject.GDI32(?,?), ref: 00BB75BF
DeleteObject.GDI32(?), ref: 00BB75CA
SelectObject.GDI32(?,?), ref: 00BB75D0
DeleteObject.GDI32(?), ref: 00BB75D5
SetTextColor.GDI32(?,?), ref: 00BB75DB
SetBkColor.GDI32(?,?), ref: 00BB75E5

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 8b6228e72ff060a24551181f0209c30fcdc9d1b1335d0bd66381bd789e474d2f
Instruction ID: 7245e8733cdc662ff619cd711b33d2df835964af90c54ed32c9994310e7e3c3c
Opcode Fuzzy Hash: 8b6228e72ff060a24551181f0209c30fcdc9d1b1335d0bd66381bd789e474d2f
Instruction Fuzzy Hash: DD616172904618AFDF11DFA4DC49EEE7FB9EB48320F114255F915BB2A1DBB09940CB90

Function 00BB0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BB1128
GetDesktopWindow.USER32 ref: 00BB113D
GetWindowRect.USER32(00000000), ref: 00BB1144
GetWindowLongW.USER32(?,000000F0), ref: 00BB1199
DestroyWindow.USER32(?), ref: 00BB11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BB11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BB120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BB121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00BB1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00BB1245
IsWindowVisible.USER32(00000000), ref: 00BB12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00BB12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00BB12D0
GetWindowRect.USER32(00000000,?), ref: 00BB12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00BB130E
GetMonitorInfoW.USER32(00000000,?), ref: 00BB1328
CopyRect.USER32(?,?), ref: 00BB133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00BB13AA

Strings

tooltips_class32, xrefs: 00BB11E6
0, xrefs: 00BB10D3
(, xrefs: 00BB131B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: be389b345f7d5d1c75fbdbd75cb0f346dad95008bd41cb79a4d85213a40650f9
Instruction ID: ae9bab30a77468b3420a1f0114de01960b08ae3217a79ec48a3e8d7083711be5
Opcode Fuzzy Hash: be389b345f7d5d1c75fbdbd75cb0f346dad95008bd41cb79a4d85213a40650f9
Instruction Fuzzy Hash: A7B19E71604351AFD710DF68C895FAABBE4FF88340F40895CF9999B261DBB1E844CB91

Function 00B38891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B38968
GetSystemMetrics.USER32(00000007), ref: 00B38970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B3899B
GetSystemMetrics.USER32(00000008), ref: 00B389A3
GetSystemMetrics.USER32(00000004), ref: 00B389C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B389E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B389F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B38A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B38A3C
GetClientRect.USER32(00000000,000000FF), ref: 00B38A5A
GetStockObject.GDI32(00000011), ref: 00B38A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B38A81

Part of subcall function 00B3912D: GetCursorPos.USER32(?), ref: 00B39141
Part of subcall function 00B3912D: ScreenToClient.USER32(00000000,?), ref: 00B3915E
Part of subcall function 00B3912D: GetAsyncKeyState.USER32(00000001), ref: 00B39183
Part of subcall function 00B3912D: GetAsyncKeyState.USER32(00000002), ref: 00B3919D

SetTimer.USER32(00000000,00000000,00000028,00B390FC), ref: 00B38AA8

Strings

AutoIt v3 GUI, xrefs: 00B38A20

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: bdab93088f1fe572438853c65d844718af7ee8c6c60936788c4ddcb4e206733f
Instruction ID: 9ec0aec3fb63922d526290f6ac9be7e54729d5589119e3fe871cbcc8e9830782
Opcode Fuzzy Hash: bdab93088f1fe572438853c65d844718af7ee8c6c60936788c4ddcb4e206733f
Instruction Fuzzy Hash: 4CB16D71A00209DFDB14DFA8CD85BAE3BF5FB48314F108669FA15A7290DBB4E841CB51

Function 00B80D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B81114
Part of subcall function 00B810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B80B9B,?,?,?), ref: 00B81120
Part of subcall function 00B810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B80B9B,?,?,?), ref: 00B8112F
Part of subcall function 00B810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B80B9B,?,?,?), ref: 00B81136
Part of subcall function 00B810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B8114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B80DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B80E29
GetLengthSid.ADVAPI32(?), ref: 00B80E40
GetAce.ADVAPI32(?,00000000,?), ref: 00B80E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B80E96
GetLengthSid.ADVAPI32(?), ref: 00B80EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B80EB5
HeapAlloc.KERNEL32(00000000), ref: 00B80EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B80EDD
CopySid.ADVAPI32(00000000), ref: 00B80EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B80F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B80F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B80F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B80F6E
HeapFree.KERNEL32(00000000), ref: 00B80F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B80F7E
HeapFree.KERNEL32(00000000), ref: 00B80F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B80F8E
HeapFree.KERNEL32(00000000), ref: 00B80F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00B80FA1
HeapFree.KERNEL32(00000000), ref: 00B80FA8

Part of subcall function 00B81193: GetProcessHeap.KERNEL32(00000008,00B80BB1,?,00000000,?,00B80BB1,?), ref: 00B811A1
Part of subcall function 00B81193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B80BB1,?), ref: 00B811A8
Part of subcall function 00B81193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B80BB1,?), ref: 00B811B7

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ce3baf679a1440b0d532ad1d7a210a3f482d99bf83a095c2934024980ceada4a
Instruction ID: 18f48200b7e95e2ee0c567f8d6001cf47fd51011866f8c4c6ffca4181bf0b010
Opcode Fuzzy Hash: ce3baf679a1440b0d532ad1d7a210a3f482d99bf83a095c2934024980ceada4a
Instruction Fuzzy Hash: 72714C7190020AABDB60EFA4DC44BAEBBB8EF04341F148255FA19B71A1DB719909CB60

Function 00BAC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BAC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00BBCC08,00000000,?,00000000,?,?), ref: 00BAC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00BAC5A4
_wcslen.LIBCMT ref: 00BAC5F4
_wcslen.LIBCMT ref: 00BAC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00BAC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00BAC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00BAC84D
RegCloseKey.ADVAPI32(?), ref: 00BAC881
RegCloseKey.ADVAPI32(00000000), ref: 00BAC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00BAC960

Strings

REG_EXPAND_SZ, xrefs: 00BAC5CD
REG_DWORD, xrefs: 00BAC804
REG_BINARY, xrefs: 00BAC913
REG_QWORD, xrefs: 00BAC8C3
REG_MULTI_SZ, xrefs: 00BAC6F5
REG_SZ, xrefs: 00BAC644

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: b39957464cc6f15aebad4f18f379fc88824e8a3a44094925f34e3cf843b8d3f4
Instruction ID: 0544044101150c64ab63bb6a4b64b1343f8a9b0ea58263ec0515d00e1aad4974
Opcode Fuzzy Hash: b39957464cc6f15aebad4f18f379fc88824e8a3a44094925f34e3cf843b8d3f4
Instruction Fuzzy Hash: 5D1279356082119FCB14DF14D891A2ABBE5FF89714F14889CF88A9B3A2DB31ED45CB85

Function 00BB091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BB09C6
_wcslen.LIBCMT ref: 00BB0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BB0A54
_wcslen.LIBCMT ref: 00BB0A8A
_wcslen.LIBCMT ref: 00BB0B06
_wcslen.LIBCMT ref: 00BB0B81

Part of subcall function 00B3F9F2: _wcslen.LIBCMT ref: 00B3F9FD

Part of subcall function 00B82BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B82BFA

Strings

EXISTS, xrefs: 00BB0B7C, 00BB0B97
COLLAPSE, xrefs: 00BB0B01, 00BB0B1C
CHECK, xrefs: 00BB0A85, 00BB0AA0
ISCHECKED, xrefs: 00BB0CE1
GETTEXT, xrefs: 00BB0C97
GETTOTALCOUNT, xrefs: 00BB09F2, 00BB0A17
GETITEMCOUNT, xrefs: 00BB0C1E
EXPAND, xrefs: 00BB0BF8
GETSELECTED, xrefs: 00BB0C4E
SELECT, xrefs: 00BB0D11
UNCHECK, xrefs: 00BB0D3E

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c05f2fbee3038d89a70b81249f12478dec421b45215412ac2c6bb7b0881da042
Instruction ID: 879f60e4462f74236501b2eb8207b89473f8f10c841b88b32bce7d824b3328ba
Opcode Fuzzy Hash: c05f2fbee3038d89a70b81249f12478dec421b45215412ac2c6bb7b0881da042
Instruction Fuzzy Hash: 34E169312183518FC714EF25C49097AB7E1FF98314B1489EDF89A9B2A2DB71ED45CB81

Function 00BAC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BAB6AE,?,?), ref: 00BAC9B5
_wcslen.LIBCMT ref: 00BAC9F1
_wcslen.LIBCMT ref: 00BACA68
_wcslen.LIBCMT ref: 00BACA9E
_wcslen.LIBCMT ref: 00BACAF9
_wcslen.LIBCMT ref: 00BACB2F
_wcslen.LIBCMT ref: 00BACB7F

Strings

HKCU, xrefs: 00BACBCE
HKCC, xrefs: 00BACBAC
HKEY_USERS, xrefs: 00BACBDF
HKEY_CURRENT_USER, xrefs: 00BACBBD
HKCR, xrefs: 00BACB29, 00BACB2E
HKEY_CLASSES_ROOT, xrefs: 00BACAF3, 00BACAF8
HKEY_CURRENT_CONFIG, xrefs: 00BACB79, 00BACB7E
HKU, xrefs: 00BACBF0
HKLM, xrefs: 00BACA98, 00BACA9D
HKEY_LOCAL_MACHINE, xrefs: 00BACA62, 00BACA67

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ee22a689adb6341e7de77f538f5cff548c6b417a5bdb7a2d5d9db47a879d9536
Instruction ID: 94b1353f799f7b1bf482e8aa90beb2a7f888c5606aac91f5a3cfd63cef4afe76
Opcode Fuzzy Hash: ee22a689adb6341e7de77f538f5cff548c6b417a5bdb7a2d5d9db47a879d9536
Instruction Fuzzy Hash: 1C71E43360816E8BCB20DE7CC9416BE3BD1EB62764F6505E5F8569B288EB31CD45D3A0

Function 00BB833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BB835A
_wcslen.LIBCMT ref: 00BB836E
_wcslen.LIBCMT ref: 00BB8391
_wcslen.LIBCMT ref: 00BB83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BB83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00BB361A,?), ref: 00BB844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BB8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BB84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BB8501
FreeLibrary.KERNEL32(?), ref: 00BB850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BB851D
DestroyIcon.USER32(?), ref: 00BB852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BB8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BB8555

Strings

.icl, xrefs: 00BB8368
.exe, xrefs: 00BB8388
.dll, xrefs: 00BB83AB

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: ab33a16a42f5bfc25428b44e7b443a7fff082b9074759dae7dc02f92e877cc63
Instruction ID: 0f30809fc081a29f4e5406eac851a6a508f1cd64f11e4c4e360fb2f59bd7db27
Opcode Fuzzy Hash: ab33a16a42f5bfc25428b44e7b443a7fff082b9074759dae7dc02f92e877cc63
Instruction Fuzzy Hash: AD61AB71540615BBEB24DF64CC81BFA7BECEB18710F104689F815EA1D1DFB4AA90DBA0

Function 00B27778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#cs, xrefs: 00B27873, 00B278C5
Bad directive syntax error, xrefs: 00B6519A
", xrefs: 00B65153
#notrayicon, xrefs: 00B277E7
#comments-start, xrefs: 00B2785F, 00B278B1
#comments-end, xrefs: 00B278D9
Cannot parse #include, xrefs: 00B65279
#requireadmin, xrefs: 00B277FF
#pragma compile, xrefs: 00B277D3
#ce, xrefs: 00B278ED
', xrefs: 00B65169
#OnAutoItStartRegister, xrefs: 00B27817
Unterminated group of comments, xrefs: 00B6528C
#include-once, xrefs: 00B2782F
#include, xrefs: 00B27847

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 0c4ecdf0c64e7d55e39002106fbb40ae851a854a9657f256d838a82cd300c1e9
Instruction ID: b2322961681ad2edd4721db25a264a48150ef12d78b76b65db283c3f3defcbb4
Opcode Fuzzy Hash: 0c4ecdf0c64e7d55e39002106fbb40ae851a854a9657f256d838a82cd300c1e9
Instruction Fuzzy Hash: 0A81D471684625ABDB20AF61DC42FFE37E8EF15300F0440E4F908AA1A6EF74DA51D795

Function 00B93E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B93EF8
_wcslen.LIBCMT ref: 00B93F03
_wcslen.LIBCMT ref: 00B93F5A
_wcslen.LIBCMT ref: 00B93F98
GetDriveTypeW.KERNEL32(?), ref: 00B93FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B9401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B94059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B94087

Strings

open, xrefs: 00B93F54, 00B93F59
closed, xrefs: 00B93F08, 00B93F2D, 00B93F46, 00B93F7E, 00B93F97
close cd wait, xrefs: 00B94072
close, xrefs: 00B93EFE, 00B93F18
type cdaudio alias cd wait, xrefs: 00B94001
set cd door , xrefs: 00B94028
open , xrefs: 00B93FE5
wait, xrefs: 00B94044

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 70ae52e8c915001176d9f7b1986f4bd50c7cb4f884f83a528b3e2acbdd6594ae
Instruction ID: 63328ff599f20bec9b0756d3f732214f1856961308c9c3b425c48c596c10c497
Opcode Fuzzy Hash: 70ae52e8c915001176d9f7b1986f4bd50c7cb4f884f83a528b3e2acbdd6594ae
Instruction Fuzzy Hash: D171D2326042119FCB10EF24C89196FB7F4EFA4754F1049ADF99A97261EB30EE46CB91

Function 00B85A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00B85A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B85A40
SetWindowTextW.USER32(?,?), ref: 00B85A57
GetDlgItem.USER32(?,000003EA), ref: 00B85A6C
SetWindowTextW.USER32(00000000,?), ref: 00B85A72
GetDlgItem.USER32(?,000003E9), ref: 00B85A82
SetWindowTextW.USER32(00000000,?), ref: 00B85A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B85AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B85AC3
GetWindowRect.USER32(?,?), ref: 00B85ACC
_wcslen.LIBCMT ref: 00B85B33
SetWindowTextW.USER32(?,?), ref: 00B85B6F
GetDesktopWindow.USER32 ref: 00B85B75
GetWindowRect.USER32(00000000), ref: 00B85B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00B85BD3
GetClientRect.USER32(?,?), ref: 00B85BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00B85C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B85C2F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 47484e5373b34a89d331538279c43aa53b4fee8c8a1529962f3894c7f918e093
Instruction ID: 0dbc9fcea9d7dd359ec09ccc0f50927ece97ed7e1ed1af4e424fa13f7bd64ac0
Opcode Fuzzy Hash: 47484e5373b34a89d331538279c43aa53b4fee8c8a1529962f3894c7f918e093
Instruction Fuzzy Hash: 2A715D31900B09AFDB20EFA9CE85EAEBBF5FF48704F104658E542A75A0DB75E944CB50

Function 00B9FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00B9FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00B9FE32
LoadCursorW.USER32(00000000,00007F00), ref: 00B9FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00B9FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00B9FE53
LoadCursorW.USER32(00000000,00007F01), ref: 00B9FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00B9FE69
LoadCursorW.USER32(00000000,00007F88), ref: 00B9FE74
LoadCursorW.USER32(00000000,00007F80), ref: 00B9FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00B9FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00B9FE95
LoadCursorW.USER32(00000000,00007F85), ref: 00B9FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00B9FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00B9FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00B9FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00B9FECC
GetCursorInfo.USER32(?), ref: 00B9FEDC
GetLastError.KERNEL32 ref: 00B9FF1E

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 72f8717f0cbed358098b6fe7c6bb4f7e497e4e4b256a3525958baf13c38e6635
Instruction ID: 5242ec4a39d99274d0eed26062d03aa4bd55e81948fde2ca466fdfa227060e22
Opcode Fuzzy Hash: 72f8717f0cbed358098b6fe7c6bb4f7e497e4e4b256a3525958baf13c38e6635
Instruction Fuzzy Hash: 5A4154B0D0531A6BDB10DFBA8C8996EBFE8FF04364B50457AE11DE7281DB789901CE91

Function 00B400C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00B400C6

Part of subcall function 00B400ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00BF070C,00000FA0,14ABC1E6,?,?,?,?,00B623B3,000000FF), ref: 00B4011C
Part of subcall function 00B400ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00B623B3,000000FF), ref: 00B40127
Part of subcall function 00B400ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00B623B3,000000FF), ref: 00B40138
Part of subcall function 00B400ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00B4014E
Part of subcall function 00B400ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B4015C
Part of subcall function 00B400ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B4016A
Part of subcall function 00B400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B40195
Part of subcall function 00B400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B401A0

___scrt_fastfail.LIBCMT ref: 00B400E7

Part of subcall function 00B400A3: __onexit.LIBCMT ref: 00B400A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B40122
kernel32.dll, xrefs: 00B40133
InitializeConditionVariable, xrefs: 00B40148
WakeAllConditionVariable, xrefs: 00B40162
SleepConditionVariableCS, xrefs: 00B40154

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 4e4fe818a5e6b67c3bff9d75f2fd1d99d9656f87653ef2470d9d382bea76301a
Instruction ID: 877cf151c8267c5239eb186416ba56d2b62bf0a5294db932bd44c7b7b6388b4c
Opcode Fuzzy Hash: 4e4fe818a5e6b67c3bff9d75f2fd1d99d9656f87653ef2470d9d382bea76301a
Instruction Fuzzy Hash: 1421D732A547116BE710BB68AC45B7937D4DF04B51F1002B5FA01B36A2DFB49D009A90

Function 00B830F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B8318D
_wcslen.LIBCMT ref: 00B831F8

Strings

TEXT, xrefs: 00B8347C
NAME, xrefs: 00B83335, 00B83346
CLASSNN, xrefs: 00B831F3, 00B83204
INSTANCE, xrefs: 00B83453
CLASS, xrefs: 00B83188, 00B831A5
REGEXPCLASS, xrefs: 00B83255, 00B83266

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: b29749a62d836a68d56985b0b9a80e081e294ab6d2a49b024300afed449ed846
Instruction ID: 672f00c270d18a98602fc09d7c6a37e81f48a1e70ece6516cf02874bf4c9faed
Opcode Fuzzy Hash: b29749a62d836a68d56985b0b9a80e081e294ab6d2a49b024300afed449ed846
Instruction Fuzzy Hash: ECE1B532A00516ABCB24AFB8C4916EDBBF0FF54F10F5481A9E456B7260DB70AF85D790

Function 00B944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00BBCC08), ref: 00B94527
_wcslen.LIBCMT ref: 00B9453B
_wcslen.LIBCMT ref: 00B94599
_wcslen.LIBCMT ref: 00B945F4
_wcslen.LIBCMT ref: 00B9463F
_wcslen.LIBCMT ref: 00B946A7

Part of subcall function 00B3F9F2: _wcslen.LIBCMT ref: 00B3F9FD

GetDriveTypeW.KERNEL32(?,00BE6BF0,00000061), ref: 00B94743

Strings

ramdisk, xrefs: 00B946F1
cdrom, xrefs: 00B9458F, 00B94594
all, xrefs: 00B94531, 00B94536
fixed, xrefs: 00B94635, 00B9463A
network, xrefs: 00B9469D, 00B946A2
unknown, xrefs: 00B94708
removable, xrefs: 00B945EA, 00B945EF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 721ee62b3d0768385df0fdebb206fba702034479609963e17c71ea1063316741
Instruction ID: 595a825a57b47845fbe891748b0c27be2ef3de7bd5cc0d63db6689fe01a0b3be
Opcode Fuzzy Hash: 721ee62b3d0768385df0fdebb206fba702034479609963e17c71ea1063316741
Instruction Fuzzy Hash: 58B1F1716083029FCB10DF28D890E6AB7E5EFA5760F5049ADF49AC7291DB30DD46CB62

Function 00BA3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BBCC08), ref: 00BA40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00BA40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00BBCC08), ref: 00BA40F2
FreeLibrary.KERNEL32(00000000,?,00BBCC08), ref: 00BA413E
StringFromGUID2.OLE32(?,?,00000028,?,00BBCC08), ref: 00BA41A8
SysFreeString.OLEAUT32(00000009), ref: 00BA4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00BA42C8
SysFreeString.OLEAUT32(?), ref: 00BA42F2

Strings

GetModuleHandleExW, xrefs: 00BA40C7
kernel32.dll, xrefs: 00BA40B6

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 606381c4d33de1895f61445bc1f9a315989be5adf42e0ca6ab1c1c3cd1ab4c86
Instruction ID: c544a722d5f6b8fb88c13591081c93e45ed44a2a66958a77768287ffc67232d6
Opcode Fuzzy Hash: 606381c4d33de1895f61445bc1f9a315989be5adf42e0ca6ab1c1c3cd1ab4c86
Instruction Fuzzy Hash: 7A123D75A04115EFDB14CF54C884EAEBBF5FF8A314F248098E905AB251DBB1ED46CBA0

Function 00B2326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00BF1990), ref: 00B62F8D
GetMenuItemCount.USER32(00BF1990), ref: 00B6303D
GetCursorPos.USER32(?), ref: 00B63081
SetForegroundWindow.USER32(00000000), ref: 00B6308A
TrackPopupMenuEx.USER32(00BF1990,00000000,?,00000000,00000000,00000000), ref: 00B6309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B630A9

Strings

0, xrefs: 00B2327D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: d4f708eb5dc8b5c6995e0955cc92725c5acc9657945594d9418b97e31a9df15c
Instruction ID: 2163df1c36cc2c55e8a7db47b663aad47491b95cff91270f1470dfcb95667ca6
Opcode Fuzzy Hash: d4f708eb5dc8b5c6995e0955cc92725c5acc9657945594d9418b97e31a9df15c
Instruction Fuzzy Hash: 4F713C31640615BFFB219F24DC89FAABFE9FF04724F204256F518661E1C7B9A910DB90

Function 00BB6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00BB6DEB

Part of subcall function 00B26B57: _wcslen.LIBCMT ref: 00B26B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BB6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BB6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BB6E94
DestroyWindow.USER32(?), ref: 00BB6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B20000,00000000), ref: 00BB6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BB6EFD
GetDesktopWindow.USER32 ref: 00BB6F16
GetWindowRect.USER32(00000000), ref: 00BB6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BB6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BB6F4D

Part of subcall function 00B39944: GetWindowLongW.USER32(?,000000EB), ref: 00B39952

Strings

tooltips_class32, xrefs: 00BB6E58, 00BB6EDD
0, xrefs: 00BB6D98

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 8d0130618cffe34fc106a85f615c889579e2ce801960ca3f3cd6d473720c41de
Instruction ID: f4c67d13375499338b2a17c6be45864ecdd695337b14ee43d6b0d8d4adfd8ba7
Opcode Fuzzy Hash: 8d0130618cffe34fc106a85f615c889579e2ce801960ca3f3cd6d473720c41de
Instruction Fuzzy Hash: 00715675504244AFDB21CF28DC49EBABBE9FB89304F04495DF98987261CBB4ED06CB11

Function 00BB911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B39BB2

DragQueryPoint.SHELL32(?,?), ref: 00BB9147

Part of subcall function 00BB7674: ClientToScreen.USER32(?,?), ref: 00BB769A
Part of subcall function 00BB7674: GetWindowRect.USER32(?,?), ref: 00BB7710
Part of subcall function 00BB7674: PtInRect.USER32(?,?,00BB8B89), ref: 00BB7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00BB91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BB91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BB91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BB9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00BB923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00BB9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00BB9277
DragFinish.SHELL32(?), ref: 00BB927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00BB9371

Strings

@GUI_DRAGFILE, xrefs: 00BB9320
@GUI_DROPID, xrefs: 00BB929E
@GUI_DRAGID, xrefs: 00BB92E9

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 6d526f8a1932d9c7a6c46db20f1fa0f5a912afe5d6c610f12820845cbc8d79ff
Instruction ID: c1b4e318efc52f1c6c5fe9939edc28e2448d6d45df1e071395d7513954db2575
Opcode Fuzzy Hash: 6d526f8a1932d9c7a6c46db20f1fa0f5a912afe5d6c610f12820845cbc8d79ff
Instruction Fuzzy Hash: B8615E71108301AFD701DF55DC85DAFBBE8EF89750F000AADF59A931A1DBB09A49CB92

Function 00B9C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B9C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B9C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B9C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B9C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00B9C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B9C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B9C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B9C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B9C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B9C5F0
InternetCloseHandle.WININET(00000000), ref: 00B9C5FB

Strings

, xrefs: 00B9C575

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: fb5ca4de1f5077c19cd3cbe5c23931e016c8da8f49820f59d3165c4c904dd165
Instruction ID: 085c5a6f5cbd4f957397c3bfacefd83a51aa3eb6266863ddbd9004ca6eaa72c1
Opcode Fuzzy Hash: fb5ca4de1f5077c19cd3cbe5c23931e016c8da8f49820f59d3165c4c904dd165
Instruction Fuzzy Hash: F65159B0600208BFEB21CF61C989AAB7FFCFB19744F104569F94697210DB70EA44DB60

Function 00BB856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00BB8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00BB85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00BB85AD
CloseHandle.KERNEL32(00000000), ref: 00BB85BA
GlobalLock.KERNEL32(00000000), ref: 00BB85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00BB85D7
GlobalUnlock.KERNEL32(00000000), ref: 00BB85E0
CloseHandle.KERNEL32(00000000), ref: 00BB85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00BB85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BBFC38,?), ref: 00BB8611
GlobalFree.KERNEL32(00000000), ref: 00BB8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00BB8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00BB8671
DeleteObject.GDI32(00000000), ref: 00BB8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00BB86AF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 63d12d160aa7a759046fc52131117e8d4d85889dc89fba1035945180a106e7bb
Instruction ID: 9b928dd3d207ea951f753093997f9d505e72e29af1796eec5b79bf5b15e02793
Opcode Fuzzy Hash: 63d12d160aa7a759046fc52131117e8d4d85889dc89fba1035945180a106e7bb
Instruction Fuzzy Hash: E141F975600205AFDB11DFA5DC88EAA7BBCEF89711F104159F906E7260DBB09D01CB60

Function 00B914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00B91502
VariantCopy.OLEAUT32(?,?), ref: 00B9150B
VariantClear.OLEAUT32(?), ref: 00B91517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B915FB
VarR8FromDec.OLEAUT32(?,?), ref: 00B91657
VariantInit.OLEAUT32(?), ref: 00B91708
SysFreeString.OLEAUT32(?), ref: 00B9178C
VariantClear.OLEAUT32(?), ref: 00B917D8
VariantClear.OLEAUT32(?), ref: 00B917E7
VariantInit.OLEAUT32(00000000), ref: 00B91823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00B91625
Default, xrefs: 00B916AF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: ea9950228967af6b4f646b8f08f0e6ab450166e8d93dfa79cc5b5b6d460c4d77
Instruction ID: a34f23ff1cae725f4dbf06f22005ee008f764b8c25023dad9bb7865ee335b7d8
Opcode Fuzzy Hash: ea9950228967af6b4f646b8f08f0e6ab450166e8d93dfa79cc5b5b6d460c4d77
Instruction Fuzzy Hash: E8D1DF71A00116EBDF009F69E885B79B7F5FF44700F2288E6E446AB290DB34DD46EB61

Function 00BAB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

Part of subcall function 00BAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BAB6AE,?,?), ref: 00BAC9B5
Part of subcall function 00BAC998: _wcslen.LIBCMT ref: 00BAC9F1
Part of subcall function 00BAC998: _wcslen.LIBCMT ref: 00BACA68
Part of subcall function 00BAC998: _wcslen.LIBCMT ref: 00BACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BAB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BAB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00BAB80A
RegCloseKey.ADVAPI32(?), ref: 00BAB87E
RegCloseKey.ADVAPI32(?), ref: 00BAB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00BAB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BAB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00BAB922
FreeLibrary.KERNEL32(00000000), ref: 00BAB983
RegCloseKey.ADVAPI32(00000000), ref: 00BAB994

Strings

advapi32.dll, xrefs: 00BAB8ED
RegDeleteKeyExW, xrefs: 00BAB8FE

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: dec2faebc56a356351ac2ad4994c617e10990d4119d02b11df165f324fed9fc6
Instruction ID: 7d4b5f2b83bde4f54a3a7929604ce70b16477e7701bd93352963ca8c7db55c75
Opcode Fuzzy Hash: dec2faebc56a356351ac2ad4994c617e10990d4119d02b11df165f324fed9fc6
Instruction Fuzzy Hash: 52C16A30208241AFD714DF18C495F2ABBE5FF85318F54859CF4AA8B2A2CB75ED45CB91

Function 00BA255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BA25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00BA25E8
CreateCompatibleDC.GDI32(?), ref: 00BA25F4
SelectObject.GDI32(00000000,?), ref: 00BA2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00BA266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00BA26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00BA26D0
SelectObject.GDI32(?,?), ref: 00BA26D8
DeleteObject.GDI32(?), ref: 00BA26E1
DeleteDC.GDI32(?), ref: 00BA26E8
ReleaseDC.USER32(00000000,?), ref: 00BA26F3

Strings

(, xrefs: 00BA268D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 58194f04a658c769f2422291bb972a82eb1728b4f9b9b1603d21246bb7d01668
Instruction ID: 1797894615a9f39601da6a69c3cbbb3f2b4f9a67df533ae5058e2ba2bdbfd738
Opcode Fuzzy Hash: 58194f04a658c769f2422291bb972a82eb1728b4f9b9b1603d21246bb7d01668
Instruction Fuzzy Hash: D861C075D04219EFCF04CFA8D984AAEBBF5FF48310F20856AE955A7250D770A951CFA0

Function 00B5DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B5DAA1

Part of subcall function 00B5D63C: _free.LIBCMT ref: 00B5D659
Part of subcall function 00B5D63C: _free.LIBCMT ref: 00B5D66B
Part of subcall function 00B5D63C: _free.LIBCMT ref: 00B5D67D
Part of subcall function 00B5D63C: _free.LIBCMT ref: 00B5D68F
Part of subcall function 00B5D63C: _free.LIBCMT ref: 00B5D6A1
Part of subcall function 00B5D63C: _free.LIBCMT ref: 00B5D6B3
Part of subcall function 00B5D63C: _free.LIBCMT ref: 00B5D6C5
Part of subcall function 00B5D63C: _free.LIBCMT ref: 00B5D6D7
Part of subcall function 00B5D63C: _free.LIBCMT ref: 00B5D6E9
Part of subcall function 00B5D63C: _free.LIBCMT ref: 00B5D6FB
Part of subcall function 00B5D63C: _free.LIBCMT ref: 00B5D70D
Part of subcall function 00B5D63C: _free.LIBCMT ref: 00B5D71F
Part of subcall function 00B5D63C: _free.LIBCMT ref: 00B5D731

_free.LIBCMT ref: 00B5DA96

Part of subcall function 00B529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5D7D1,00000000,00000000,00000000,00000000,?,00B5D7F8,00000000,00000007,00000000,?,00B5DBF5,00000000), ref: 00B529DE
Part of subcall function 00B529C8: GetLastError.KERNEL32(00000000,?,00B5D7D1,00000000,00000000,00000000,00000000,?,00B5D7F8,00000000,00000007,00000000,?,00B5DBF5,00000000,00000000), ref: 00B529F0

_free.LIBCMT ref: 00B5DAB8
_free.LIBCMT ref: 00B5DACD
_free.LIBCMT ref: 00B5DAD8
_free.LIBCMT ref: 00B5DAFA
_free.LIBCMT ref: 00B5DB0D
_free.LIBCMT ref: 00B5DB1B
_free.LIBCMT ref: 00B5DB26
_free.LIBCMT ref: 00B5DB5E
_free.LIBCMT ref: 00B5DB65
_free.LIBCMT ref: 00B5DB82
_free.LIBCMT ref: 00B5DB9A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: de52c23763ee6395eaae21b3cabe4209a37aa1eb650ca8a3e5e751a57c6fda1c
Instruction ID: c662dd4cec80bce005a14f7d84f2e82bcffd7b03eb72375d695a35cf13b3f6fc
Opcode Fuzzy Hash: de52c23763ee6395eaae21b3cabe4209a37aa1eb650ca8a3e5e751a57c6fda1c
Instruction Fuzzy Hash: 48313D316047059FEB31AB39E845B9677E9FF01312F1546E9E859E7291DF31AC48C720

Function 00B8365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B8369C
_wcslen.LIBCMT ref: 00B836A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B83797
GetClassNameW.USER32(?,?,00000400), ref: 00B8380C
GetDlgCtrlID.USER32(?), ref: 00B8385D
GetWindowRect.USER32(?,?), ref: 00B83882
GetParent.USER32(?), ref: 00B838A0
ScreenToClient.USER32(00000000), ref: 00B838A7
GetClassNameW.USER32(?,?,00000100), ref: 00B83921
GetWindowTextW.USER32(?,?,00000400), ref: 00B8395D

Strings

%s%u, xrefs: 00B83734

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3abd432af69a003481b41fbde317437663ddfc814050e968f0e0c82f4037b3c9
Instruction ID: a66c6150c330695ef2157b53306d02688321b3faefc7fe27b375aaf7ad025ffe
Opcode Fuzzy Hash: 3abd432af69a003481b41fbde317437663ddfc814050e968f0e0c82f4037b3c9
Instruction Fuzzy Hash: F291B671204606AFD715EF24C885FAAF7E8FF44B50F008659F99AD31A0EB70EA45CB91

Function 00B84954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00B84994
GetWindowTextW.USER32(?,?,00000400), ref: 00B849DA
_wcslen.LIBCMT ref: 00B849EB
CharUpperBuffW.USER32(?,00000000), ref: 00B849F7
_wcsstr.LIBVCRUNTIME ref: 00B84A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00B84A64
GetWindowTextW.USER32(?,?,00000400), ref: 00B84A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00B84AE6
GetClassNameW.USER32(?,?,00000400), ref: 00B84B20
GetWindowRect.USER32(?,?), ref: 00B84B8B

Strings

ThumbnailClass, xrefs: 00B84A6F, 00B84AF1

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: c26c67c09875fd444eaffdff16dd8de89cc4b6632c2d045907c44b6ea77b836a
Instruction ID: 9c0688a9b26dbf7904b0d0752750a6cde25ac56c67f50a5a7220b9a38c97badb
Opcode Fuzzy Hash: c26c67c09875fd444eaffdff16dd8de89cc4b6632c2d045907c44b6ea77b836a
Instruction Fuzzy Hash: C491C2310042069FDB14EF14C985FAAB7E8FF44314F0485AAFD869B1A6DB30ED45CBA1

Function 00B8BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00BF1990,000000FF,00000000,00000030), ref: 00B8BFAC
SetMenuItemInfoW.USER32(00BF1990,00000004,00000000,00000030), ref: 00B8BFE1
Sleep.KERNEL32(000001F4), ref: 00B8BFF3
GetMenuItemCount.USER32(?), ref: 00B8C039
GetMenuItemID.USER32(?,00000000), ref: 00B8C056
GetMenuItemID.USER32(?,-00000001), ref: 00B8C082
GetMenuItemID.USER32(?,?), ref: 00B8C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B8C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B8C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B8C145

Strings

0, xrefs: 00B8BF3D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: e850d3817f073a59bb8e0835da1164299e91494528918abc20e367a1287e0f9e
Instruction ID: 5bd7d00945b7b1764236995524a3cc0390bd1ee7336a1299cbc0436a479aaf7c
Opcode Fuzzy Hash: e850d3817f073a59bb8e0835da1164299e91494528918abc20e367a1287e0f9e
Instruction Fuzzy Hash: D16170B0900246AFDF11EF64DC89EEE7FE9EB05344F104595E951A32A1CB75AD05CB70

Function 00BACC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BACC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00BACC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BACD48

Part of subcall function 00BACC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00BACCAA
Part of subcall function 00BACC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00BACCBD
Part of subcall function 00BACC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BACCCF
Part of subcall function 00BACC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00BACD05
Part of subcall function 00BACC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00BACD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00BACCF3

Strings

advapi32.dll, xrefs: 00BACCB8
RegDeleteKeyExW, xrefs: 00BACCC9

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 390b12b1247f386c03e0e4e767a725d8d2cdb85098e5a0bcc28f78bdbdbc66a7
Instruction ID: 2d1e53d15952afdd1a2d463783aacfba3bb5ede210545c9ba1bc041910b4c6d4
Opcode Fuzzy Hash: 390b12b1247f386c03e0e4e767a725d8d2cdb85098e5a0bcc28f78bdbdbc66a7
Instruction Fuzzy Hash: CF317A71905128BBDB20DB95DC88EFFBFBCEF16750F0001A5B946E3250DBB09A459AA0

Function 00B93D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B93D40
_wcslen.LIBCMT ref: 00B93D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B93D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B93DBE
RemoveDirectoryW.KERNEL32(?), ref: 00B93DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B93E55
CloseHandle.KERNEL32(00000000), ref: 00B93E60
CloseHandle.KERNEL32(00000000), ref: 00B93E6B

Strings

\??\%s, xrefs: 00B93D5B
:, xrefs: 00B93D82
\, xrefs: 00B93D77

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 80f41cfc9da509408fb2dc9154cf2c0a823c325070d27607381018427f31b989
Instruction ID: 6adda059cba18f48fa3b3acdf9a3d04f9ab395745000bfac8104fb09986e8dcd
Opcode Fuzzy Hash: 80f41cfc9da509408fb2dc9154cf2c0a823c325070d27607381018427f31b989
Instruction Fuzzy Hash: E6318D76904209ABDB20DFA0DC49FAB37FCEF88B00F1041B5F619E6060EBB497448B24

Function 00B8E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B8E6B4

Part of subcall function 00B3E551: timeGetTime.WINMM(?,?,00B8E6D4), ref: 00B3E555

Sleep.KERNEL32(0000000A), ref: 00B8E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00B8E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B8E727
SetActiveWindow.USER32 ref: 00B8E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B8E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B8E773
Sleep.KERNEL32(000000FA), ref: 00B8E77E
IsWindow.USER32 ref: 00B8E78A
EndDialog.USER32(00000000), ref: 00B8E79B

Strings

BUTTON, xrefs: 00B8E719

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 929944086f00ecf602448c4d576783a4aee1691684edf7a7b9c03024c5192c32
Instruction ID: fcb16e1dd5f5768529b3f947664563a6d572975ac1a2e103328a85bd9eb47a39
Opcode Fuzzy Hash: 929944086f00ecf602448c4d576783a4aee1691684edf7a7b9c03024c5192c32
Instruction Fuzzy Hash: 522129B4200205BFEB10AF64EC89A3A3BA9E755B49B101965F526D31B1DFB1EC00DB24

Function 00B8E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B8EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B8EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B8EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B8EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B8EAA7

Strings

close PlayMe, xrefs: 00B8EA6E, 00B8EA9B
play PlayMe, xrefs: 00B8EAA2
play PlayMe wait, xrefs: 00B8EA91
status PlayMe mode, xrefs: 00B8EA58
alias PlayMe, xrefs: 00B8EA36
open , xrefs: 00B8EA0C

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 677c83c48a1350c6048f4f84a0b16c3ac54dcbb448d07b20bdbaca02b8d3ea7b
Instruction ID: 5086fe1356906d802d55904dadcb764e9294208fa00fc81eb75ab75f5f7fc78a
Opcode Fuzzy Hash: 677c83c48a1350c6048f4f84a0b16c3ac54dcbb448d07b20bdbaca02b8d3ea7b
Instruction Fuzzy Hash: B0118225A5026979D724E762DC4ADFF6BFCEBE5F40F0004A5B415A20E1DFB04944C6B0

Function 00B89F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B8A012
SetKeyboardState.USER32(?), ref: 00B8A07D
GetAsyncKeyState.USER32(000000A0), ref: 00B8A09D
GetKeyState.USER32(000000A0), ref: 00B8A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00B8A0E3
GetKeyState.USER32(000000A1), ref: 00B8A0F4
GetAsyncKeyState.USER32(00000011), ref: 00B8A120
GetKeyState.USER32(00000011), ref: 00B8A12E
GetAsyncKeyState.USER32(00000012), ref: 00B8A157
GetKeyState.USER32(00000012), ref: 00B8A165
GetAsyncKeyState.USER32(0000005B), ref: 00B8A18E
GetKeyState.USER32(0000005B), ref: 00B8A19C

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 148d930e8cd675ae8b0e9404151be4ddb8521b5689b2eaf45b9028ed1b96943b
Instruction ID: 87dbd6ea687d136b22cf7a35c2c018ff75a69a79fb7167b13a44faa63c6b1a5b
Opcode Fuzzy Hash: 148d930e8cd675ae8b0e9404151be4ddb8521b5689b2eaf45b9028ed1b96943b
Instruction Fuzzy Hash: 215199209047882AFF35FB708855BEAAFF5DF12380F0C45DAD5C2571E2EA54AA4CC762

Function 00B85CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B85CE2
GetWindowRect.USER32(00000000,?), ref: 00B85CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00B85D59
GetDlgItem.USER32(?,00000002), ref: 00B85D69
GetWindowRect.USER32(00000000,?), ref: 00B85D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00B85DCF
GetDlgItem.USER32(?,000003E9), ref: 00B85DDD
GetWindowRect.USER32(00000000,?), ref: 00B85DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00B85E31
GetDlgItem.USER32(?,000003EA), ref: 00B85E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B85E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00B85E67

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 373da03e4242da107d03b49b5f8beeac1b052be96f0160fb60acd9a2d34e7a78
Instruction ID: 8abd453fc52ec66e7e0bd3b3ddca474c7eda3bca3ecbef1add2d67ccaa485222
Opcode Fuzzy Hash: 373da03e4242da107d03b49b5f8beeac1b052be96f0160fb60acd9a2d34e7a78
Instruction Fuzzy Hash: 0E51FF71A00605AFDB18DF68DD89EAEBBF5FB48301F148269F916E7290DB709E04CB50

Function 00B38BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B38F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B38BE8,?,00000000,?,?,?,?,00B38BBA,00000000,?), ref: 00B38FC5

DestroyWindow.USER32(?), ref: 00B38C81
KillTimer.USER32(00000000,?,?,?,?,00B38BBA,00000000,?), ref: 00B38D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00B76973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00B38BBA,00000000,?), ref: 00B769A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00B38BBA,00000000,?), ref: 00B769B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B38BBA,00000000), ref: 00B769D4
DeleteObject.GDI32(00000000), ref: 00B769E6

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: de90179dc08d818640d46bc7c647afb5856fbf1fd1786d9ccc469841c9316274
Instruction ID: aa234bbb324c5fc3f3466804a298cc3b8fa40b3c4f7979f1deb5e465d7825101
Opcode Fuzzy Hash: de90179dc08d818640d46bc7c647afb5856fbf1fd1786d9ccc469841c9316274
Instruction Fuzzy Hash: 66618C31501B00DFCB25DF29D948B257BF1FB54312F6499A8E0469B560CFB1AD81CBA2

Function 00B39838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00B39944: GetWindowLongW.USER32(?,000000EB), ref: 00B39952

GetSysColor.USER32(0000000F), ref: 00B39862

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 1cb48c2e7f2697ac63d51c5b51d221846167ce38ec1402bcbfc8eb2ee5dab906
Instruction ID: bfe65a267160e14279176f4e2afec28105416ba9b4c485d53edf35ae8f5692a7
Opcode Fuzzy Hash: 1cb48c2e7f2697ac63d51c5b51d221846167ce38ec1402bcbfc8eb2ee5dab906
Instruction Fuzzy Hash: 5241A031144640AFDB209F3C9C84BBA3BE5EB56370F244695F9B6972E1CBB19C42DB20

Function 00B896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00B6F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00B89717
LoadStringW.USER32(00000000,?,00B6F7F8,00000001), ref: 00B89720

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00B6F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00B89742
LoadStringW.USER32(00000000,?,00B6F7F8,00000001), ref: 00B89745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00B89866

Strings

Line %d (File "%s"):, xrefs: 00B8978F
^ ERROR, xrefs: 00B897FB
Error: , xrefs: 00B8981D
%s (%d) : ==> %s: %s %s, xrefs: 00B8984A
Line %d:, xrefs: 00B897A0

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 25d9b45ee5eff2951a855d365f5fbd2e05ed2491f1f620eef568884cbe559a52
Instruction ID: 2c6156d6f106cf230d0cc089e4cf3fb66c10ecf91ffecde27e5339cce97d1623
Opcode Fuzzy Hash: 25d9b45ee5eff2951a855d365f5fbd2e05ed2491f1f620eef568884cbe559a52
Instruction Fuzzy Hash: 51410C72800219AACF04FBE0ED96DEEB7F8AF15740F5405A5F509720A2EB756F48CB61

Function 00B806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B26B57: _wcslen.LIBCMT ref: 00B26B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B807A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B807BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B807DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B80804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00B8082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B80837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B8083C

Strings

\IPC$, xrefs: 00B80784
SOFTWARE\Classes\, xrefs: 00B8070E
\CLSID, xrefs: 00B80724

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: d52a0ba6dca7e20a13e3d0519f21569749e23489c2a24ee00048bd842a386406
Instruction ID: 032d9ef59520ea5e71f37c9d5874400202ca9c3b0c3115697710662ccb4247ea
Opcode Fuzzy Hash: d52a0ba6dca7e20a13e3d0519f21569749e23489c2a24ee00048bd842a386406
Instruction Fuzzy Hash: 8D411976C10229ABCF21EFA4EC858EDB7B8FF04750F4445A9E905A7161EB705E48CBA0

Function 00BB3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BB403B
CreateCompatibleDC.GDI32(00000000), ref: 00BB4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BB4055
SelectObject.GDI32(00000000,00000000), ref: 00BB405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BB4068
DeleteDC.GDI32(00000000), ref: 00BB4072
GetWindowLongW.USER32(?,000000EC), ref: 00BB407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00BB4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00BB409E

Strings

static, xrefs: 00BB3FD3

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 3e7e6c7a5dda9bff55ff1d7e4b61a87f463309b31a855aeae5ea01c88eb73fd4
Instruction ID: d024609c6571df9ba2250614661742d436ba71cdd699c9a4473c18b0dd459fff
Opcode Fuzzy Hash: 3e7e6c7a5dda9bff55ff1d7e4b61a87f463309b31a855aeae5ea01c88eb73fd4
Instruction Fuzzy Hash: DC314B32501219ABDF219FA8DC49FEA3FA8FF0D720F110351FA55A61A1CBB5D810DB64

Function 00BA3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BA3C5C
CoInitialize.OLE32(00000000), ref: 00BA3C8A
CoUninitialize.OLE32 ref: 00BA3C94
_wcslen.LIBCMT ref: 00BA3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00BA3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00BA3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00BA3F0E
CoGetObject.OLE32(?,00000000,00BBFB98,?), ref: 00BA3F2D
SetErrorMode.KERNEL32(00000000), ref: 00BA3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00BA3FC4
VariantClear.OLEAUT32(?), ref: 00BA3FD8

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a8ebcf5c618aec79fa7ccd8c401a5692540ddbc9e1fb9eb37ed4df3a438a2101
Instruction ID: 6b3a03849345513e1ead20955e8a0fb48bfee91e411165b49bbf0001ba2cd9f0
Opcode Fuzzy Hash: a8ebcf5c618aec79fa7ccd8c401a5692540ddbc9e1fb9eb37ed4df3a438a2101
Instruction Fuzzy Hash: F1C138716083059FD700DF68C88492BBBE9FF8AB44F1449ADF9899B211DB71ED05CB52

Function 00B97A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B97AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B97B8F
SHGetDesktopFolder.SHELL32(?), ref: 00B97BA3
CoCreateInstance.OLE32(00BBFD08,00000000,00000001,00BE6E6C,?), ref: 00B97BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B97C74
CoTaskMemFree.OLE32(?,?), ref: 00B97CCC
SHBrowseForFolderW.SHELL32(?), ref: 00B97D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B97D7A
CoTaskMemFree.OLE32(00000000), ref: 00B97D81
CoTaskMemFree.OLE32(00000000), ref: 00B97DD6
CoUninitialize.OLE32 ref: 00B97DDC

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: b60fe0e227e36644c4f1ee3e183983acb4b1068cc90c5f56b7dc0f006d268df2
Instruction ID: 073da99ef6a32af33ba0bb7c2a89f04bfac9dc62bb8455a4034b0c919ca0dc0a
Opcode Fuzzy Hash: b60fe0e227e36644c4f1ee3e183983acb4b1068cc90c5f56b7dc0f006d268df2
Instruction Fuzzy Hash: 4AC13A75A04119AFCB14DFA4C894DAEBBF9FF48304B1485A9F8199B361DB30EE41CB90

Function 00BB541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BB5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BB5515
CharNextW.USER32(00000158), ref: 00BB5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BB5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BB559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BB55AC

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2817ee7ccf2a39c232c6cbb193629cf9cc4755ffa6cdc25faf2768ddffe7223c
Instruction ID: 6f2b0206f37960bb4fbfab07b07c1ac5b7bfbdf847252bf23c188b5c16508c52
Opcode Fuzzy Hash: 2817ee7ccf2a39c232c6cbb193629cf9cc4755ffa6cdc25faf2768ddffe7223c
Instruction Fuzzy Hash: 5A615A70900608AFDB20DF54CC85EFE7BB9EB09721F104585F965AB290DBB49A81DB62

Function 00B7FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B7FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00B7FB08
VariantInit.OLEAUT32(?), ref: 00B7FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B7FB3A
VariantCopy.OLEAUT32(?,?), ref: 00B7FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B7FBA1
VariantClear.OLEAUT32(?), ref: 00B7FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00B7FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B7FBCC
VariantClear.OLEAUT32(?), ref: 00B7FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B7FBE9

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e174379f9ff5c0870b7a0347725a72540e20f5cf6a7a1d2a068c69d89add107d
Instruction ID: 1454d63074824d1c44761ecd547d17369dc48e5125bf78b44cc06de129fe1f21
Opcode Fuzzy Hash: e174379f9ff5c0870b7a0347725a72540e20f5cf6a7a1d2a068c69d89add107d
Instruction Fuzzy Hash: 61414F35A0021ADFCF00DF68D8549BEBBF9EF48344F00C4A5E959A7361CB70AA45CBA4

Function 00B89C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B89CA1
GetAsyncKeyState.USER32(000000A0), ref: 00B89D22
GetKeyState.USER32(000000A0), ref: 00B89D3D
GetAsyncKeyState.USER32(000000A1), ref: 00B89D57
GetKeyState.USER32(000000A1), ref: 00B89D6C
GetAsyncKeyState.USER32(00000011), ref: 00B89D84
GetKeyState.USER32(00000011), ref: 00B89D96
GetAsyncKeyState.USER32(00000012), ref: 00B89DAE
GetKeyState.USER32(00000012), ref: 00B89DC0
GetAsyncKeyState.USER32(0000005B), ref: 00B89DD8
GetKeyState.USER32(0000005B), ref: 00B89DEA

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: bdf135c759e78cb0b0d9266176178304e636725f31d74c37f6bd8a13578a889d
Instruction ID: 6cade90a96b63ac05be2858e3dc6ef34d332d6c299c2d4a9bfaf53bfda6bb936
Opcode Fuzzy Hash: bdf135c759e78cb0b0d9266176178304e636725f31d74c37f6bd8a13578a889d
Instruction Fuzzy Hash: 0241B6346047C96EFF35A664C8043B5BEE0EB11344F0C80EADAC6575D2DBE599C8CBA6

Function 00BA055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BA05BC
inet_addr.WSOCK32(?), ref: 00BA061C
gethostbyname.WSOCK32(?), ref: 00BA0628
IcmpCreateFile.IPHLPAPI ref: 00BA0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BA06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BA06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00BA07B9
WSACleanup.WSOCK32 ref: 00BA07BF

Strings

Ping, xrefs: 00BA0676

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4bd5a7ee4e51a2430dc67a9648decd857630472109e04d53207e9ef5366ef5f5
Instruction ID: 9116b3fdd5bb6cc9d9b504c448816ed7c38d4e0e30c7977012723bf89ce9bfec
Opcode Fuzzy Hash: 4bd5a7ee4e51a2430dc67a9648decd857630472109e04d53207e9ef5366ef5f5
Instruction Fuzzy Hash: 64918E356182019FD320EF19D489F1ABBE0EF4A318F1485E9F4699B6A2CB70ED45CF91

Function 00BA8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00BA8CF3

Part of subcall function 00B88E54: _wcslen.LIBCMT ref: 00B88E77

_wcslen.LIBCMT ref: 00BA8D4E
_wcslen.LIBCMT ref: 00BA8D9C
_wcslen.LIBCMT ref: 00BA8DDC
_wcslen.LIBCMT ref: 00BA8E6E

Strings

winapi, xrefs: 00BA8D96, 00BA8D9B
cdecl, xrefs: 00BA8D48, 00BA8D4D
stdcall, xrefs: 00BA8DD6, 00BA8DDB
none, xrefs: 00BA8E65, 00BA8E6A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b6ecf14b1169d4aa4f1a6ab0148297936a36581c3444268c424a28057c6675bd
Instruction ID: fc0f14167e8a877726ddeef0faba4bad7483475b0277b0dd8cb143e4712ee31a
Opcode Fuzzy Hash: b6ecf14b1169d4aa4f1a6ab0148297936a36581c3444268c424a28057c6675bd
Instruction Fuzzy Hash: FB518131A08116DBCB14DF6CC9509BEB7E6FF66724B2042A9E466A7684DF30DE40C790

Function 00BA372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00BA3774
CoUninitialize.OLE32 ref: 00BA377F
CoCreateInstance.OLE32(?,00000000,00000017,00BBFB78,?), ref: 00BA37D9
IIDFromString.OLE32(?,?), ref: 00BA384C
VariantInit.OLEAUT32(?), ref: 00BA38E4
VariantClear.OLEAUT32(?), ref: 00BA3936

Strings

Invalid parameter, xrefs: 00BA3865
NULL Pointer assignment, xrefs: 00BA381E
Failed to create object, xrefs: 00BA37E4, 00BA389A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e3f527847f2cd14d575afc13d68c8dd5742c099da125798248a5fc57a3bcbc5f
Instruction ID: 4451119e01e177235ad0c04856ebe06b6fd98eb9ca1515028c51497d866f5d86
Opcode Fuzzy Hash: e3f527847f2cd14d575afc13d68c8dd5742c099da125798248a5fc57a3bcbc5f
Instruction Fuzzy Hash: 5661B270608311AFD710DF54D888F6ABBE4EF4AB10F10499DF5859B2A1DB74EE48CB92

Function 00B93388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B933CF

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B933F0

Strings

Line %d (File "%s"):, xrefs: 00B93443, 00B9345C
^ ERROR , xrefs: 00B9349E
"%s" (%d) : ==> %s:, xrefs: 00B93522
"%s" (%d) : ==> %s:%s%s, xrefs: 00B93504
Incorrect parameters to object property !, xrefs: 00B934AB
Error: , xrefs: 00B934D1

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: ad861638d6564761b3e161debeb1da2a93de330f64d7315e8952d307b1533120
Instruction ID: c757eb76b41053bddc8b06e87211cc96806356a1c592879903b3caefcaf5d069
Opcode Fuzzy Hash: ad861638d6564761b3e161debeb1da2a93de330f64d7315e8952d307b1533120
Instruction Fuzzy Hash: FD518C71800219AADF15EBA0DD42EEEB7F8EF18740F1445A5F009731A2EB356F58CB60

Function 00B8B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B8B5FC
_wcslen.LIBCMT ref: 00B8B608
_wcslen.LIBCMT ref: 00B8B64D
_wcslen.LIBCMT ref: 00B8B68C
_wcslen.LIBCMT ref: 00B8B6C7

Strings

EXISTS, xrefs: 00B8B686, 00B8B68B
REMOVE, xrefs: 00B8B602, 00B8B607
KEYS, xrefs: 00B8B647, 00B8B64C
APPEND, xrefs: 00B8B6C1, 00B8B6C6

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 917b3e7afc1a06810fa6452b822cadf0d94070fd7a1fb356aa88f868347e39e9
Instruction ID: 166f37df3315af8fc55b883f7db314750dcd0bf9e6a27013fc283a7caf3ec40c
Opcode Fuzzy Hash: 917b3e7afc1a06810fa6452b822cadf0d94070fd7a1fb356aa88f868347e39e9
Instruction Fuzzy Hash: D841A532A001279BCB207F7D88909BEB7E5EF61794B2542A9E425DB2A4F731CD81D790

Function 00B95393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B953A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B95416
GetLastError.KERNEL32 ref: 00B95420
SetErrorMode.KERNEL32(00000000,READY), ref: 00B954A7

Strings

UNKNOWN, xrefs: 00B95444
READONLY, xrefs: 00B95452
NOTREADY, xrefs: 00B9544B
READY, xrefs: 00B95460, 00B95468
INVALID, xrefs: 00B95459

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 3d1badc8e29ecf32b4c64938aa38cf163938bd43d32cd4e0591503c4d479c9ec
Instruction ID: 75e2831e429d0c0379c856dd64e2cd47ed454f66f176cedee7aed0fe74c5646d
Opcode Fuzzy Hash: 3d1badc8e29ecf32b4c64938aa38cf163938bd43d32cd4e0591503c4d479c9ec
Instruction Fuzzy Hash: 0D31C335A406089FCB62DF68C884AAABBF4EF54305F1480F5E405DB396DB70DD82CB90

Function 00BB3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00BB3C79
SetMenu.USER32(?,00000000), ref: 00BB3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BB3D10
IsMenu.USER32(?), ref: 00BB3D24
CreatePopupMenu.USER32 ref: 00BB3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BB3D5B
DrawMenuBar.USER32 ref: 00BB3D63

Strings

0, xrefs: 00BB3C54
F, xrefs: 00BB3D4E

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 109232b13f1c07e57668e2224381e60f27d3c31aa073fc1e532e984df4e8343a
Instruction ID: b323f6053ab1a332c909d6704b11db9b89e36584879927b377a402956d981df8
Opcode Fuzzy Hash: 109232b13f1c07e57668e2224381e60f27d3c31aa073fc1e532e984df4e8343a
Instruction Fuzzy Hash: 40419C74A01209EFDB24CF64D884AEA7BF5FF49300F140169F956A7360DBB0AA10CF90

Function 00B81EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

Part of subcall function 00B83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B83CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00B81F64
GetDlgCtrlID.USER32 ref: 00B81F6F
GetParent.USER32 ref: 00B81F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B81F8E
GetDlgCtrlID.USER32(?), ref: 00B81F97
GetParent.USER32(?), ref: 00B81FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B81FAE

Strings

ListBox, xrefs: 00B81F21
ComboBox, xrefs: 00B81EEC

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 4622bb4d54975c4282707f2d2ca255b618d891318e94c91ed9bc1ea99ea1390e
Instruction ID: 5beb963db490a07b3de309d8298fc8016cacacad75c0dcf1144d134314e1f067
Opcode Fuzzy Hash: 4622bb4d54975c4282707f2d2ca255b618d891318e94c91ed9bc1ea99ea1390e
Instruction Fuzzy Hash: 9821B074900218BBCF04EFA4DC85DEEBBF8EF19350F004695BA66672A1DBB45905DB60

Function 00B81FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

Part of subcall function 00B83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B83CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00B82043
GetDlgCtrlID.USER32 ref: 00B8204E
GetParent.USER32 ref: 00B8206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B8206D
GetDlgCtrlID.USER32(?), ref: 00B82076
GetParent.USER32(?), ref: 00B8208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B8208D

Strings

ListBox, xrefs: 00B82002
ComboBox, xrefs: 00B81FCD

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b503bff11215eef2ba9aba6f0700ca2faaf0937e55138cb3dc3fa061928ada4c
Instruction ID: 2e75bb5e5f58317bc9dfdf887058c6118938e194b9d031154af2b0d240ad6ccc
Opcode Fuzzy Hash: b503bff11215eef2ba9aba6f0700ca2faaf0937e55138cb3dc3fa061928ada4c
Instruction Fuzzy Hash: 38219FB5D00218BBCF14EFA0DC85EEEBFF8EF09340F004596B956A71A1DAB54915DB60

Function 00BB3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BB3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BB3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00BB3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BB3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BB3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00BB3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00BB3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00BB3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00BB3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00BB3C13

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 47147dab95c7a9a7e551660e39f0f6c8a38bc80fdf2293bafa12ebee3a29ed39
Instruction ID: 6d42274471389af1321e5aed328a8d8cab70fc02f94ec170cf32137ba6e3cb65
Opcode Fuzzy Hash: 47147dab95c7a9a7e551660e39f0f6c8a38bc80fdf2293bafa12ebee3a29ed39
Instruction Fuzzy Hash: BD617A75900248AFDB20DFA8CC81EFE77F8EB09700F104599FA15A72A1DBB4AE45DB50

Function 00B8B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B8B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B8A1E1,?,00000001), ref: 00B8B165
GetWindowThreadProcessId.USER32(00000000), ref: 00B8B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B8A1E1,?,00000001), ref: 00B8B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B8B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00B8A1E1,?,00000001), ref: 00B8B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B8A1E1,?,00000001), ref: 00B8B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B8A1E1,?,00000001), ref: 00B8B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00B8A1E1,?,00000001), ref: 00B8B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00B8A1E1,?,00000001), ref: 00B8B21D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 552c51550efdb369ef8541117bbe58a4cdb318a3c4e8574708a88aa041ed8f7c
Instruction ID: 3022a890fb36026f601465f29b4e0d7cf803e575acf731e01a97b66507582747
Opcode Fuzzy Hash: 552c51550efdb369ef8541117bbe58a4cdb318a3c4e8574708a88aa041ed8f7c
Instruction Fuzzy Hash: 723148B5510204AFDB10AF78DC98FB97FE9EB51711F204156FA05EB1A0DFB4AA40CB64

Function 00B52C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B52C94

Part of subcall function 00B529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5D7D1,00000000,00000000,00000000,00000000,?,00B5D7F8,00000000,00000007,00000000,?,00B5DBF5,00000000), ref: 00B529DE
Part of subcall function 00B529C8: GetLastError.KERNEL32(00000000,?,00B5D7D1,00000000,00000000,00000000,00000000,?,00B5D7F8,00000000,00000007,00000000,?,00B5DBF5,00000000,00000000), ref: 00B529F0

_free.LIBCMT ref: 00B52CA0
_free.LIBCMT ref: 00B52CAB
_free.LIBCMT ref: 00B52CB6
_free.LIBCMT ref: 00B52CC1
_free.LIBCMT ref: 00B52CCC
_free.LIBCMT ref: 00B52CD7
_free.LIBCMT ref: 00B52CE2
_free.LIBCMT ref: 00B52CED
_free.LIBCMT ref: 00B52CFB

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: acfa974a58b1c3f82066a7108ab7f1110afe976473d32e6a905f983f5fa70f09
Instruction ID: c26d226dce91b573d0ad390f963b48ff3064b540b6e3783ab3afa38ea658b2cb
Opcode Fuzzy Hash: acfa974a58b1c3f82066a7108ab7f1110afe976473d32e6a905f983f5fa70f09
Instruction Fuzzy Hash: 12119376101108AFCB02EF54D882EDD3BA5FF06351F5144E5FE48AB322DA31EE549B90

Function 00B97DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B97FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00B97FC1
GetFileAttributesW.KERNEL32(?), ref: 00B97FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B98005
SetCurrentDirectoryW.KERNEL32(?), ref: 00B98017
SetCurrentDirectoryW.KERNEL32(?), ref: 00B98060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B980B0

Strings

*.*, xrefs: 00B98066

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: a1d6a9621ca64bc3be61d2347f3989326b172627757e09df4ce4be425f19a5c2
Instruction ID: cc7702efa7f31be949d212c0d8c6062f8810bc27ec3a305fe5fe2e97e98968d5
Opcode Fuzzy Hash: a1d6a9621ca64bc3be61d2347f3989326b172627757e09df4ce4be425f19a5c2
Instruction Fuzzy Hash: AC81A0715586419BCF20EF14C884AAEB7E8FF89310F1448AEF889D7250EB34DD498B92

Function 00B25BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B25C7A

Part of subcall function 00B25D0A: GetClientRect.USER32(?,?), ref: 00B25D30
Part of subcall function 00B25D0A: GetWindowRect.USER32(?,?), ref: 00B25D71
Part of subcall function 00B25D0A: ScreenToClient.USER32(?,?), ref: 00B25D99

GetDC.USER32 ref: 00B646F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B64708
SelectObject.GDI32(00000000,00000000), ref: 00B64716
SelectObject.GDI32(00000000,00000000), ref: 00B6472B
ReleaseDC.USER32(?,00000000), ref: 00B64733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B647C4

Strings

U, xrefs: 00B64693

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c8428015ffaaec29e377c0aa89222f7f83f7cc84df94917f896094817c12f388
Instruction ID: ced816e467d269a8bf2cca62d787d12f257d15ca86d9773ddd89090cdb0e4a75
Opcode Fuzzy Hash: c8428015ffaaec29e377c0aa89222f7f83f7cc84df94917f896094817c12f388
Instruction Fuzzy Hash: 4371CD30400A05EFCF218F64C984ABA3BF5FF4A360F1442E9E9565B2A6D7789C41DF60

Function 00B9359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00B935E4

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

LoadStringW.USER32(00BF2390,?,00000FFF,?), ref: 00B9360A

Strings

Line %d (File "%s"):, xrefs: 00B9366B
"%s" (%d) : ==> %s:, xrefs: 00B93742
^ ERROR, xrefs: 00B936C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00B93724
Error: , xrefs: 00B936EF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: b0a3e61cb87ed9154a97bd0fdd935d6a4b7ea1bae34e0f8b17ea2bbcd7d43fce
Instruction ID: 3b95df159a61f1a3153312da8a0bb305535eaa82ed3f95de150a40e04269d134
Opcode Fuzzy Hash: b0a3e61cb87ed9154a97bd0fdd935d6a4b7ea1bae34e0f8b17ea2bbcd7d43fce
Instruction Fuzzy Hash: 19515C7180021ABBCF15EBA0DC42EEDBBF8EF14740F1845A5F109721A1EB311A98DBA4

Function 00B9C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B9C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B9C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B9C2CA
GetLastError.KERNEL32 ref: 00B9C322
SetEvent.KERNEL32(?), ref: 00B9C336
InternetCloseHandle.WININET(00000000), ref: 00B9C341

Strings

, xrefs: 00B9C2BB

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8c9e22ae65a5ff9f2b5d9df8f484179f212585e37a13ed58a46bb5fb906eb591
Instruction ID: 549a6173be1bec46f6042967e033a5a81a522cd068d50a7a48f9d24fef2b02d9
Opcode Fuzzy Hash: 8c9e22ae65a5ff9f2b5d9df8f484179f212585e37a13ed58a46bb5fb906eb591
Instruction Fuzzy Hash: F4317AB1604608AFDB21DFA58C88AAB7FFCEB49744B10866EF48693200DB70DD049B65

Function 00B8989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B63AAF,?,?,Bad directive syntax error,00BBCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00B898BC
LoadStringW.USER32(00000000,?,00B63AAF,?), ref: 00B898C3

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B89987

Strings

., xrefs: 00B8996D
Line %d (File "%s"):, xrefs: 00B8992D
Error: , xrefs: 00B89955
Line %d:, xrefs: 00B89912
%s (%d) : ==> %s.: %s %s, xrefs: 00B898F1

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 386f1a58104b2ab1f8985d4f68528d3e760fb66120a10b9e5a50cef351baec39
Instruction ID: 105021a613c21dc1ca7b89ca563a5015616533822b86c3b7c1af11e25d70a626
Opcode Fuzzy Hash: 386f1a58104b2ab1f8985d4f68528d3e760fb66120a10b9e5a50cef351baec39
Instruction Fuzzy Hash: 8C215E31C0021AABCF15EF90DC06EFE77B5FF28740F0848A5F519660A2EB759A58DB50

Function 00B8209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B820AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00B820C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B8214D

Strings

list, xrefs: 00B8212F
SHELLDLL_DefView, xrefs: 00B820CC
details, xrefs: 00B820FB
smallicons, xrefs: 00B82115
largeicons, xrefs: 00B820E1

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 69ed6a6cb728dd5e4c725126b0852041ab93e7155b19a623931871a16062d1f2
Instruction ID: 211875cd1a2a00ec0279f4a578dacde9bbbb9b222821b1f49c60699a78635d41
Opcode Fuzzy Hash: 69ed6a6cb728dd5e4c725126b0852041ab93e7155b19a623931871a16062d1f2
Instruction Fuzzy Hash: 8A110676688706BAFA117731DC0ADA637DCDB04328B3001E6FB05B60F1FFA1A911A715

Function 00B58D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30becefb4b1f8e1227fce567c417b99b9a09db833e84dfd4626be47252c22b17
Instruction ID: 99a4dbd513cf00533d5ba36642f6b62dc6289091e9305379ef18fb436fde4a09
Opcode Fuzzy Hash: 30becefb4b1f8e1227fce567c417b99b9a09db833e84dfd4626be47252c22b17
Instruction Fuzzy Hash: 54C1BE74904249EFDF11EFA8C885BADBBF0AF09311F0845D9F915A7392CB709A49CB61

Function 00B5CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B5CEB7
_free.LIBCMT ref: 00B5CF22
_free.LIBCMT ref: 00B5CF48
_free.LIBCMT ref: 00B5CF71
_free.LIBCMT ref: 00B5CFA9
_free.LIBCMT ref: 00B5CFDA
_free.LIBCMT ref: 00B5D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00B5D09C
_free.LIBCMT ref: 00B5D0B5

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: d42da5380ba6cddb245bf93615e42a63b920865a2cd8d8b99e6926aa33cc971a
Instruction ID: 2b308f0447c8200690cbc9ba124354438ea14c67239b906bdf6283a70b9660b5
Opcode Fuzzy Hash: d42da5380ba6cddb245bf93615e42a63b920865a2cd8d8b99e6926aa33cc971a
Instruction Fuzzy Hash: 5261E371905311AFDB21AFB89891BAA7FE6EF05312F0442FDFD44A7292DA31990DC790

Function 00BB50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00BB5186
ShowWindow.USER32(?,00000000), ref: 00BB51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00BB51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00BB51D1

Part of subcall function 00BB6FBA: DeleteObject.GDI32(00000000), ref: 00BB6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00BB520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BB521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00BB524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00BB5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00BB5296

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: aeb300e909d375ac79fb3729cea8c56b9d926a68551a58abe01483f5cd8db2fd
Instruction ID: f579e7ddb16e68e66d12e8a7fda3de5fca6ce8034b0478cff43ac696525a16ba
Opcode Fuzzy Hash: aeb300e909d375ac79fb3729cea8c56b9d926a68551a58abe01483f5cd8db2fd
Instruction Fuzzy Hash: 0C517130A52A08BFEF349F28DC46BF93BE5EB05321F144192F515A62E0C7F5A990DB42

Function 00B38B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00B76890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00B768A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B768B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00B768D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B768F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B38874,00000000,00000000,00000000,000000FF,00000000), ref: 00B76901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B7691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B38874,00000000,00000000,00000000,000000FF,00000000), ref: 00B7692D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 1788d74199250dac05a78af3498d74055207416b2e3584753e41a5e4c54618cf
Instruction ID: f1d132fe926b67ed00dae8023c9b8e18535708feb6d2157e90ab0a33bd721019
Opcode Fuzzy Hash: 1788d74199250dac05a78af3498d74055207416b2e3584753e41a5e4c54618cf
Instruction Fuzzy Hash: DB517A7060070AEFDB20CF24CC95FAA7BF5EB58750F208658F956972A0EBB1E950DB50

Function 00B9C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B9C182
GetLastError.KERNEL32 ref: 00B9C195
SetEvent.KERNEL32(?), ref: 00B9C1A9

Part of subcall function 00B9C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B9C272
Part of subcall function 00B9C253: GetLastError.KERNEL32 ref: 00B9C322
Part of subcall function 00B9C253: SetEvent.KERNEL32(?), ref: 00B9C336
Part of subcall function 00B9C253: InternetCloseHandle.WININET(00000000), ref: 00B9C341

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 8642427f0eaa91e8c242ea2d06bbb99c74490b54a863a86bc44394763786a92d
Instruction ID: ba66bf3cbcc726ac8e8ba06bfa36e51b2cc4c38f484e0f925b2029fa4fb6c975
Opcode Fuzzy Hash: 8642427f0eaa91e8c242ea2d06bbb99c74490b54a863a86bc44394763786a92d
Instruction Fuzzy Hash: 52319A71200701AFDF219FA5DC44A6ABFF8FF58300B10856EF95A83610DB70E814EBA0

Function 00B825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B83A57
Part of subcall function 00B83A3D: GetCurrentThreadId.KERNEL32 ref: 00B83A5E
Part of subcall function 00B83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B825B3), ref: 00B83A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00B825BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B825DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00B825DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B825E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B82601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00B82605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B8260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B82623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00B82627

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 33e2c5761a6d93bb064a9caba81b2b91c0dbb3e6f07b9d7d45af079ac777dc42
Instruction ID: 6c21ef0dcaa6204386ebbbf7965e335af039c3efb6a7ee5d49d5d26b6906205b
Opcode Fuzzy Hash: 33e2c5761a6d93bb064a9caba81b2b91c0dbb3e6f07b9d7d45af079ac777dc42
Instruction Fuzzy Hash: 4A01B170290210BBFB10A7689C8AF593F99DB4EB12F200102F358BF0E1CDF22444CA69

Function 00B81803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00B81449,?,?,00000000), ref: 00B8180C
HeapAlloc.KERNEL32(00000000,?,00B81449,?,?,00000000), ref: 00B81813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B81449,?,?,00000000), ref: 00B81828
GetCurrentProcess.KERNEL32(?,00000000,?,00B81449,?,?,00000000), ref: 00B81830
DuplicateHandle.KERNEL32(00000000,?,00B81449,?,?,00000000), ref: 00B81833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B81449,?,?,00000000), ref: 00B81843
GetCurrentProcess.KERNEL32(00B81449,00000000,?,00B81449,?,?,00000000), ref: 00B8184B
DuplicateHandle.KERNEL32(00000000,?,00B81449,?,?,00000000), ref: 00B8184E
CreateThread.KERNEL32(00000000,00000000,00B81874,00000000,00000000,00000000), ref: 00B81868

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ad922dcf56941f90757f78b3db74ddc90940831c81337fffdafd85af28db2f66
Instruction ID: 6dd34e7f8cde7bf0518d5d52d206f0fbb5e846776c428c234f3a66b3b5d96853
Opcode Fuzzy Hash: ad922dcf56941f90757f78b3db74ddc90940831c81337fffdafd85af28db2f66
Instruction Fuzzy Hash: 1501ACB5240304BFE610EFA9DC49F573BACEB89B11F504511FA05EB1A1CAB0D800CB20

Function 00BAA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00B8D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00B8D501
Part of subcall function 00B8D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00B8D50F
Part of subcall function 00B8D4DC: CloseHandle.KERNELBASE(00000000), ref: 00B8D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BAA16D
GetLastError.KERNEL32 ref: 00BAA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BAA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00BAA268
GetLastError.KERNEL32(00000000), ref: 00BAA273
CloseHandle.KERNEL32(00000000), ref: 00BAA2C4

Strings

SeDebugPrivilege, xrefs: 00BAA18F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 91e43d7af46953521a611eaad89613a94af9cfe8f98f7af6069510231ca5b5d9
Instruction ID: 77c4e47545413b1ca29e799248acaaf0b952de25c33a85771ff1918fa1d5ad7b
Opcode Fuzzy Hash: 91e43d7af46953521a611eaad89613a94af9cfe8f98f7af6069510231ca5b5d9
Instruction Fuzzy Hash: 86616C70208242AFD720DF18C494F1ABBE5AF45318F1484DCE45A5B7A2C772EC49CBA2

Function 00BB3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BB3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00BB393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BB3954
_wcslen.LIBCMT ref: 00BB3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00BB39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BB39F4

Strings

SysListView32, xrefs: 00BB38F7

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: bdeef60e1ad57ad9573aa9176ce9debe5cd2fc4d9dc1e9106fc17544bb26ac84
Instruction ID: ab9badc86333706df34851332cacbf6bb249a2fb6b35d51ecb14141f2a598e33
Opcode Fuzzy Hash: bdeef60e1ad57ad9573aa9176ce9debe5cd2fc4d9dc1e9106fc17544bb26ac84
Instruction Fuzzy Hash: AF41A471A00218ABEB21DF64CC45FFA7BE9EF08750F1005A6F559E7291D7B19A80CB90

Function 00B8BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B8BCFD
IsMenu.USER32(00000000), ref: 00B8BD1D
CreatePopupMenu.USER32 ref: 00B8BD53
GetMenuItemCount.USER32(00F866D0), ref: 00B8BDA4
InsertMenuItemW.USER32(00F866D0,?,00000001,00000030), ref: 00B8BDCC

Strings

2, xrefs: 00B8BD37
0, xrefs: 00B8BCA8

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 281ef865c5d3865fb0a3761657714670ef7dff2bfefb2561d24b049893b73cad
Instruction ID: 7f99dc5b161edc0e5e095b70dd63342f64dbebb209aef3f44d19cea07708d722
Opcode Fuzzy Hash: 281ef865c5d3865fb0a3761657714670ef7dff2bfefb2561d24b049893b73cad
Instruction Fuzzy Hash: 08518C70A00205EBDB20EFB8D884FAEBBF4EF55314F1446A9E851A72B1D7709945CB61

Function 00B8C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B8C913

Strings

stop, xrefs: 00B8C8E4
question, xrefs: 00B8C8CC
info, xrefs: 00B8C8B4
warning, xrefs: 00B8C8FC
blank, xrefs: 00B8C895

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 7109615072055ffbe91d1d2e544eab1e83acc308384442d7d180fb0c1a386d1d
Instruction ID: 5f88eee6c59d5b2321d524da1f94323d812e535d0b589d1d8ba9aa8f068e8007
Opcode Fuzzy Hash: 7109615072055ffbe91d1d2e544eab1e83acc308384442d7d180fb0c1a386d1d
Instruction Fuzzy Hash: F4110D71689706BAE702BB559C83DAA6BDCDF15364B2000FBF900A62E2E7B45E409375

Function 00B8DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B8DE42
gethostname.WSOCK32(?,00000100), ref: 00B8DE5C
gethostbyname.WSOCK32(?), ref: 00B8DE69
inet_ntoa.WSOCK32(?), ref: 00B8DEAB
_strcat.LIBCMT ref: 00B8DEB9
WSACleanup.WSOCK32 ref: 00B8DEDE

Strings

0.0.0.0, xrefs: 00B8DE87

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 959f1fe223dcc7a53cf99c3e3ed3a8b6d2f86e46b6ed0fb16a3fd2b821f765f7
Instruction ID: 44992e8478ff234c85922c9a72429c186f7d3203c4bbeab0b599afc4ddb07a3d
Opcode Fuzzy Hash: 959f1fe223dcc7a53cf99c3e3ed3a8b6d2f86e46b6ed0fb16a3fd2b821f765f7
Instruction Fuzzy Hash: F011B471904115AFCF20BB649C4AEEE7BECDB15711F0001EAF5459B0A1EFB19A81DB60

Function 00BB9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B39BB2

GetSystemMetrics.USER32(0000000F), ref: 00BB9FC7
GetSystemMetrics.USER32(0000000F), ref: 00BB9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00BBA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BBA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BBA263
ShowWindow.USER32(00000003,00000000), ref: 00BBA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00BBA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00BBA2CA

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: f6aea625d6f6d3d5d9fdc3fdd5515689b8449ad80fee7944f02302f76553e968
Instruction ID: 29ace632a93dc9a854fc0ab94366d36b1d9709ec95d9358d9a873fb2639430e1
Opcode Fuzzy Hash: f6aea625d6f6d3d5d9fdc3fdd5515689b8449ad80fee7944f02302f76553e968
Instruction Fuzzy Hash: F9B16731A002199BDF14CF68C9857FE7BF2FF45711F0880A9ED85AB295DBB1A940CB61

Function 00B8ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B8ED2A
_wcslen.LIBCMT ref: 00B8ED3B
_wcslen.LIBCMT ref: 00B8ED79
_wcslen.LIBCMT ref: 00B8EDAF
_wcslen.LIBCMT ref: 00B8EDDF
_wcslen.LIBCMT ref: 00B8EDEF
_wcslen.LIBCMT ref: 00B8EE2B
_wcslen.LIBCMT ref: 00B8EE5A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a021ea6e25884b587c8badfc52c5242746667bbe81ef6470bd40c8eef6a330fb
Instruction ID: b9bd335920afd8f0f4961e73ffc5a66538feaf6afb9202996b4cddef083115fd
Opcode Fuzzy Hash: a021ea6e25884b587c8badfc52c5242746667bbe81ef6470bd40c8eef6a330fb
Instruction Fuzzy Hash: 2341A065C1021876CB11FBB4C88AACFB7E8AF45310F5084A6E528F3121FB34E755D3A6

Function 00B3F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B7682C,00000004,00000000,00000000), ref: 00B3F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00B7682C,00000004,00000000,00000000), ref: 00B7F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B7682C,00000004,00000000,00000000), ref: 00B7F454

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8b8b7bf3fd34fe526ab38c542e6908e112703e1e92036eb1f556a69db94e0e1d
Instruction ID: b7e30e5db4fb86f2c4eef7757338a3898098d4477d2dacc75f9ccf590e1cbf6c
Opcode Fuzzy Hash: 8b8b7bf3fd34fe526ab38c542e6908e112703e1e92036eb1f556a69db94e0e1d
Instruction Fuzzy Hash: 6541EB31D04642BBC7398B2D88C877A7BD2EB56324F3486FCE05B57660DA71E880C715

Function 00BB2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BB2D1B
GetDC.USER32(00000000), ref: 00BB2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BB2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00BB2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BB2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BB2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BB5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00BB2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BB2DE1

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7a253d6cebfd6f7b229847bc2d729a26009e2f453e8de66b7a4aa077e1e889c1
Instruction ID: d2ffeb62cb0c445118db956426aea111e004096036855a4d1ad61ddbcee23048
Opcode Fuzzy Hash: 7a253d6cebfd6f7b229847bc2d729a26009e2f453e8de66b7a4aa077e1e889c1
Instruction Fuzzy Hash: 26315A72201214BBEB118F548C8AFFB3FA9EB49715F044165FE099B291CAB59C51CBA4

Function 00B85622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B85637
_memcmp.LIBVCRUNTIME ref: 00B85659
_memcmp.LIBVCRUNTIME ref: 00B85671
_memcmp.LIBVCRUNTIME ref: 00B85684
_memcmp.LIBVCRUNTIME ref: 00B8569E
_memcmp.LIBVCRUNTIME ref: 00B856B1
_memcmp.LIBVCRUNTIME ref: 00B856C9
_memcmp.LIBVCRUNTIME ref: 00B856E4

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 80a99d5fe7339c24e059c5d02a565d45d2202f6cefbee1cc74984a8ce41a3408
Instruction ID: 3a3cc1d88eafed1d246820601e7ad47132985fc0d2a94a6dcecb982aa9e63b05
Opcode Fuzzy Hash: 80a99d5fe7339c24e059c5d02a565d45d2202f6cefbee1cc74984a8ce41a3408
Instruction Fuzzy Hash: 4F219561A50A0A77D6247D24CD82FFA23DCEE21394B4444E0FD049A5A1F761EE51D3A9

Function 00BA4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00BA5007
NULL Pointer assignment, xrefs: 00BA502E, 00BA5383

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: c75f8e1b9e2e48cd1aa1af047769bf45da3352384e0995f87cafb120f716ce8d
Instruction ID: dcc35ebb0d6aeeb23db95955d0902d8aef2abc00e853088ec3fe4c4f2f3e04a5
Opcode Fuzzy Hash: c75f8e1b9e2e48cd1aa1af047769bf45da3352384e0995f87cafb120f716ce8d
Instruction Fuzzy Hash: 71D1A371A0460AAFDF20CFA8C881BAEB7F5FF49344F1484A9E915AB281D770DE45CB50

Function 00B61522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00B615CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B61651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B616E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00B616FB

Part of subcall function 00B53820: RtlAllocateHeap.NTDLL(00000000,?,00BF1444,?,00B3FDF5,?,?,00B2A976,00000010,00BF1440,00B213FC,?,00B213C6,?,00B21129), ref: 00B53852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B61777
__freea.LIBCMT ref: 00B617A2
__freea.LIBCMT ref: 00B617AE

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f9d722a63a76717387f2fbce301417b07add6061f1f1539b64845db5a47acf6a
Instruction ID: 063d04a5875e16602c4e38267e079280e5ceea6506f2711545c5e2a624a5282f
Opcode Fuzzy Hash: f9d722a63a76717387f2fbce301417b07add6061f1f1539b64845db5a47acf6a
Instruction Fuzzy Hash: 62919372E002169BDB208E78C891AFEBBF5EF59710F1C4A99E902E7151DB39DD44CB60

Function 00BA4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BA4648
VariantInit.OLEAUT32(?), ref: 00BA4749
VariantClear.OLEAUT32(?), ref: 00BA4753
VariantClear.OLEAUT32(?), ref: 00BA47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00BA45D8, 00BA4706, 00BA47BE
Incorrect Object type in FOR..IN loop, xrefs: 00BA472C

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 42be8ddbf8b6084e7d9b35510ddfcbd9d37f5f2bb533b63dc90ef30730ee1adb
Instruction ID: 4911b5ca4b8634266cb13c2fd3eeb79eb1fafb750b913269636d9ca58898637d
Opcode Fuzzy Hash: 42be8ddbf8b6084e7d9b35510ddfcbd9d37f5f2bb533b63dc90ef30730ee1adb
Instruction Fuzzy Hash: AA919071A04215ABDF20CFA5D884FAEBBF8EF86710F108599F505AB281D7B09D45CFA0

Function 00B91187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00B9125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00B91284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00B912A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B912D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B9135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B913C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B91430

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 1f87830b46bdd782debea53e2911e7a7d24ba92e749c99ea3fbf9296dd6d7e51
Instruction ID: 9efd7605d794ec9e390af70a134a1d7a9482886f787ae2e63178ab0f429ecd6e
Opcode Fuzzy Hash: 1f87830b46bdd782debea53e2911e7a7d24ba92e749c99ea3fbf9296dd6d7e51
Instruction Fuzzy Hash: 9D919D75A0021AAFDB009F98D885BBE77F5FF48314F1188A9E500EB391D774A941DB90

Function 00B3948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 742a9412f625b9effe81944f5c9b7fddd80d1206dd50e498f1105c6c802acdc0
Instruction ID: 2e05c67af5e8190950c094e7958d7437931a7fd49cc8df3539e787a6277af584
Opcode Fuzzy Hash: 742a9412f625b9effe81944f5c9b7fddd80d1206dd50e498f1105c6c802acdc0
Instruction Fuzzy Hash: BA912671D40219EFCB10CFA9C885AEEBBB8FF49320F258195E515B7251D7B4A982CB60

Function 00BA3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BA396B
CharUpperBuffW.USER32(?,?), ref: 00BA3A7A
_wcslen.LIBCMT ref: 00BA3A8A
VariantClear.OLEAUT32(?), ref: 00BA3C1F

Part of subcall function 00B90CDF: VariantInit.OLEAUT32(00000000), ref: 00B90D1F
Part of subcall function 00B90CDF: VariantCopy.OLEAUT32(?,?), ref: 00B90D28
Part of subcall function 00B90CDF: VariantClear.OLEAUT32(?), ref: 00B90D34

Strings

AUTOIT.ERROR, xrefs: 00BA3A80, 00BA3A85
Incorrect Parameter format, xrefs: 00BA39A6, 00BA3BA1

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 767e186d80dbfa5738f181a8d839b4db72ca36a8e923c9abf31ae205c2810581
Instruction ID: 261f0ceb342d07a43d2d1e0d4276272eec669ebc90bbcc3695e27d9e83431394
Opcode Fuzzy Hash: 767e186d80dbfa5738f181a8d839b4db72ca36a8e923c9abf31ae205c2810581
Instruction Fuzzy Hash: D9916B756083059FC704EF28C48096AB7E5FF89714F1489AEF88A9B351DB30EE45CB92

Function 00BA4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00B8000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B7FF41,80070057,?,?,?,00B8035E), ref: 00B8002B
Part of subcall function 00B8000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B7FF41,80070057,?,?), ref: 00B80046
Part of subcall function 00B8000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B7FF41,80070057,?,?), ref: 00B80054
Part of subcall function 00B8000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B7FF41,80070057,?), ref: 00B80064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00BA4C51
_wcslen.LIBCMT ref: 00BA4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00BA4DCF
CoTaskMemFree.OLE32(?), ref: 00BA4DDA

Strings

NULL Pointer assignment, xrefs: 00BA4E23, 00BA4E52

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: cd46a5e1e09e05dba4f62c9d08b7416db3c208ebd56560fb91da08eb58edb582
Instruction ID: fa0a546afa6eb91129c334512fa3f368376924ae163a8c321f2dd9d70861dc54
Opcode Fuzzy Hash: cd46a5e1e09e05dba4f62c9d08b7416db3c208ebd56560fb91da08eb58edb582
Instruction Fuzzy Hash: 52912871D0022D9FDF14DFA4D891AEEB7B8FF49310F1085A9E919A7251EB709A44CF60

Function 00BB20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00BB2183
GetMenuItemCount.USER32(00000000), ref: 00BB21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BB21DD
_wcslen.LIBCMT ref: 00BB2213
GetMenuItemID.USER32(?,?), ref: 00BB224D
GetSubMenu.USER32(?,?), ref: 00BB225B

Part of subcall function 00B83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B83A57
Part of subcall function 00B83A3D: GetCurrentThreadId.KERNEL32 ref: 00B83A5E
Part of subcall function 00B83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B825B3), ref: 00B83A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BB22E3

Part of subcall function 00B8E97B: Sleep.KERNEL32 ref: 00B8E9F3

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: bceb6748db95c1fca017aea5430a09515d76b42ca3622717a2fc481dd68f1b70
Instruction ID: 7132c460351de74e2ebf864204e0ba786add49e382366aef683c062027059aa2
Opcode Fuzzy Hash: bceb6748db95c1fca017aea5430a09515d76b42ca3622717a2fc481dd68f1b70
Instruction Fuzzy Hash: 64713F75A00215AFCB14DF68C885AFEBBF5EF48310F148499E916EB351DBB4ED418B90

Function 00BB7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00F866A8), ref: 00BB7F37
IsWindowEnabled.USER32(00F866A8), ref: 00BB7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00BB801E
SendMessageW.USER32(00F866A8,000000B0,?,?), ref: 00BB8051
IsDlgButtonChecked.USER32(?,?), ref: 00BB8089
GetWindowLongW.USER32(00F866A8,000000EC), ref: 00BB80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BB80C3

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 99566d137adc217d2d7cb9614132a8851a2a5074ffdfbe432f160946426a0efc
Instruction ID: 43208d0af22e6128109564060f8e79bb26f0c2481bb265c5c502c8d2116b2052
Opcode Fuzzy Hash: 99566d137adc217d2d7cb9614132a8851a2a5074ffdfbe432f160946426a0efc
Instruction Fuzzy Hash: C071CF34648284AFEB21DF54C884FFABBF9EF49340F104499E946972A1CFB1A845CB54

Function 00B8AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B8AEF9
GetKeyboardState.USER32(?), ref: 00B8AF0E
SetKeyboardState.USER32(?), ref: 00B8AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B8AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B8AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B8AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B8B020

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 46cc57617b023fe1bb5bc3a554969cdffa1db121eaa25cb5e4e18fba460f7157
Instruction ID: 7af02a15a06813270208dd5c9d161e6f613280f0cc30c0b9ab3e9f4abb7980a8
Opcode Fuzzy Hash: 46cc57617b023fe1bb5bc3a554969cdffa1db121eaa25cb5e4e18fba460f7157
Instruction Fuzzy Hash: BD51F5A06043D13DFB36A2348C45FBABEE99B06304F0885CAE2D5858E2D7D8ACC4D751

Function 00B8ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B8AD19
GetKeyboardState.USER32(?), ref: 00B8AD2E
SetKeyboardState.USER32(?), ref: 00B8AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B8ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B8ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B8AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B8AE38

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 01c4be17ca21c04b2ee09e9d8887d956d1db1347316ce048c859382cfb033319
Instruction ID: 7ac852115f992338357cc1a59da90051fca53a25f0e9a5b088ff23441d38b1dc
Opcode Fuzzy Hash: 01c4be17ca21c04b2ee09e9d8887d956d1db1347316ce048c859382cfb033319
Instruction Fuzzy Hash: E85118A15047D53DFB33A334CC85B7ABED89B05301F0889DAE1D5968E2D794EC84D752

Function 00B5542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00B63CD6,?,?,?,?,?,?,?,?,00B55BA3,?,?,00B63CD6,?,?), ref: 00B55470
__fassign.LIBCMT ref: 00B554EB
__fassign.LIBCMT ref: 00B55506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00B63CD6,00000005,00000000,00000000), ref: 00B5552C
WriteFile.KERNEL32(?,00B63CD6,00000000,00B55BA3,00000000,?,?,?,?,?,?,?,?,?,00B55BA3,?), ref: 00B5554B
WriteFile.KERNEL32(?,?,00000001,00B55BA3,00000000,?,?,?,?,?,?,?,?,?,00B55BA3,?), ref: 00B55584

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 81e49cc6df2f7ff7fcf2e7908c708d7f2a315791878c4a8f88de2d13dabc3078
Instruction ID: 16b35d20dda6acbc089778beeb5646e0a68cde8823118aa2f1ab0f55e4cf7ddd
Opcode Fuzzy Hash: 81e49cc6df2f7ff7fcf2e7908c708d7f2a315791878c4a8f88de2d13dabc3078
Instruction Fuzzy Hash: E751E6709006499FDB20CFA8D891BEEBBF9EF18302F14419AF955E7291E7309A45CB60

Function 00B42D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B42D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00B42D53
_ValidateLocalCookies.LIBCMT ref: 00B42DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00B42E0C
_ValidateLocalCookies.LIBCMT ref: 00B42E61

Strings

csm, xrefs: 00B42DF6

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 7ce856bb0006444a82e39bfb586611bb75b1de29b3af385c48c6c9fe581b4abc
Instruction ID: 46b22e596f7a2c1f58a5c623803d17cf90495c3ae790c1a4136f62e14b16015f
Opcode Fuzzy Hash: 7ce856bb0006444a82e39bfb586611bb75b1de29b3af385c48c6c9fe581b4abc
Instruction Fuzzy Hash: 64418134E00209ABCF10DF68C885A9EBBF5FF44324F5481A5F815AB352D7319B15EB90

Function 00BA10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BA307A
Part of subcall function 00BA304E: _wcslen.LIBCMT ref: 00BA309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00BA1112
WSAGetLastError.WSOCK32 ref: 00BA1121
WSAGetLastError.WSOCK32 ref: 00BA11C9
closesocket.WSOCK32(00000000), ref: 00BA11F9

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 949d3db717412f000f95ac1ad75cd1a985ee5bbf0726a1e57bccd8c27bf0b387
Instruction ID: 2f9ced3fde88cc2bbecc6ba4e914fae41d6bf5527383aa625a412583838a075f
Opcode Fuzzy Hash: 949d3db717412f000f95ac1ad75cd1a985ee5bbf0726a1e57bccd8c27bf0b387
Instruction Fuzzy Hash: 51412331204214AFDB10DF18CC84BAABBE9EF46324F148199FD09AB291CB70ED41CBE1

Function 00B8CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B8CF22,?), ref: 00B8DDFD

Part of subcall function 00B8DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B8CF22,?), ref: 00B8DE16

lstrcmpiW.KERNEL32(?,?), ref: 00B8CF45
MoveFileW.KERNEL32(?,?), ref: 00B8CF7F
_wcslen.LIBCMT ref: 00B8D005
_wcslen.LIBCMT ref: 00B8D01B
SHFileOperationW.SHELL32(?), ref: 00B8D061

Strings

\*.*, xrefs: 00B8CFF3

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: b207eb797c5c9d008c7b4ec14835baa0688bcb1323f43005e8cc96efd7236786
Instruction ID: 358cbfe6b74904e72b628cd0b7aa14a07e6b9e53ec82aa6a8d40574345fe56dd
Opcode Fuzzy Hash: b207eb797c5c9d008c7b4ec14835baa0688bcb1323f43005e8cc96efd7236786
Instruction Fuzzy Hash: C14103B19452185FDF12FFA4D981ADEB7F9EF18380F1000E6A609EB151EB74A749CB50

Function 00BB2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00BB2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00BB2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00BB2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00BB2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00BB2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00BB2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BB2F0B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 05c61ef2f69f165421db9fb404e7b91f6d988f8cdc8955e9b582ac69afec88d8
Instruction ID: 4de2d228e95481f83371f14dd928b1d7c03ac9c070f1fe495ed757b9c5ec9ee6
Opcode Fuzzy Hash: 05c61ef2f69f165421db9fb404e7b91f6d988f8cdc8955e9b582ac69afec88d8
Instruction Fuzzy Hash: 1131FD30604290EFEB21CF59DC85FB53BE5EB9A720F1546A4F9018B2B2CBB1E841DB51

Function 00B87726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B87769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B8778F
SysAllocString.OLEAUT32(00000000), ref: 00B87792
SysAllocString.OLEAUT32(?), ref: 00B877B0
SysFreeString.OLEAUT32(?), ref: 00B877B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00B877DE
SysAllocString.OLEAUT32(?), ref: 00B877EC

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 61fc9619768cde398d3317016527c3ff25ac610b486420b0dc5141df01bfd5f2
Instruction ID: a90c96e990dd67ef2374f6f480685597e51b408c152b035105f8a322758b7231
Opcode Fuzzy Hash: 61fc9619768cde398d3317016527c3ff25ac610b486420b0dc5141df01bfd5f2
Instruction Fuzzy Hash: 6621A77A604219AFDF10EFA8CC88CBB77ECEB097687148165F915DB260DA70DD41C764

Function 00B877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B87842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B87868
SysAllocString.OLEAUT32(00000000), ref: 00B8786B
SysAllocString.OLEAUT32 ref: 00B8788C
SysFreeString.OLEAUT32 ref: 00B87895
StringFromGUID2.OLE32(?,?,00000028), ref: 00B878AF
SysAllocString.OLEAUT32(?), ref: 00B878BD

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fcf5e66433c07624274a67d9ea238dd1eb341c5a16eb2c06defed0072a9d5227
Instruction ID: 585d9f16e57398832736c93e537e96a4a7218113583444daa0004098ecf40fac
Opcode Fuzzy Hash: fcf5e66433c07624274a67d9ea238dd1eb341c5a16eb2c06defed0072a9d5227
Instruction Fuzzy Hash: F4218E31608205AF9B10EBA9DC8CDAA77ECEB08364B208165B915CB2A1DE70DC41CB64

Function 00B904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B904F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B9052E

Strings

nul, xrefs: 00B90567

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7103abead16b1d541271a594f16f7ec8f9342eb786e922af3eb6fbb615f09062
Instruction ID: 5720e48db1df6fdb98f52726287ad4cb9dea1e876d2241d1edda3ef3014bca72
Opcode Fuzzy Hash: 7103abead16b1d541271a594f16f7ec8f9342eb786e922af3eb6fbb615f09062
Instruction Fuzzy Hash: DE2151755103059FDF20AF29D884A5A7BF4EF54764F614A79E8A1D72E0D770D940CF20

Function 00B905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B905C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B90601

Strings

nul, xrefs: 00B90639

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ff7dc2631049fe6c116ae066d7fc0f6692cc3f53b4bfce69c6894b1da1a51136
Instruction ID: f627330ae3a54eaaaf1f95668719e5e902cf6fee70056ced0b3c1899ec1faedd
Opcode Fuzzy Hash: ff7dc2631049fe6c116ae066d7fc0f6692cc3f53b4bfce69c6894b1da1a51136
Instruction Fuzzy Hash: 752153755103059FDF20AF699C44A5A7BE8FF95724F200B69F8A1E72E0DBB09960CB20

Function 00BB40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B2604C
Part of subcall function 00B2600E: GetStockObject.GDI32(00000011), ref: 00B26060
Part of subcall function 00B2600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B2606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BB4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BB411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BB412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BB4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BB4145

Strings

Msctls_Progress32, xrefs: 00BB40E3

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c05824723e68450d9134bcab8d33d19d825354100f1b737aa2ed824ba9762264
Instruction ID: 8390cd5e4fdde30d2aca1263cab9a27a56893596751c603e2bf7374bc46efb23
Opcode Fuzzy Hash: c05824723e68450d9134bcab8d33d19d825354100f1b737aa2ed824ba9762264
Instruction Fuzzy Hash: 411190B2150219BFEF119E64CC85EF77F9DEF08798F004111BA18A6050CBB29C21DBA4

Function 00B5D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B5D7A3: _free.LIBCMT ref: 00B5D7CC

_free.LIBCMT ref: 00B5D82D

Part of subcall function 00B529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5D7D1,00000000,00000000,00000000,00000000,?,00B5D7F8,00000000,00000007,00000000,?,00B5DBF5,00000000), ref: 00B529DE
Part of subcall function 00B529C8: GetLastError.KERNEL32(00000000,?,00B5D7D1,00000000,00000000,00000000,00000000,?,00B5D7F8,00000000,00000007,00000000,?,00B5DBF5,00000000,00000000), ref: 00B529F0

_free.LIBCMT ref: 00B5D838
_free.LIBCMT ref: 00B5D843
_free.LIBCMT ref: 00B5D897
_free.LIBCMT ref: 00B5D8A2
_free.LIBCMT ref: 00B5D8AD
_free.LIBCMT ref: 00B5D8B8

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 29402ad087638ce728cb7eee2516f8574db46f77bd0b8bf4310d230ff3345ff4
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 28118171541B04AAD531BFB0CC07FCB7BDCAF09702F4009E5BA99A6A92DA24B9094650

Function 00B8DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B8DA74
LoadStringW.USER32(00000000), ref: 00B8DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B8DA91
LoadStringW.USER32(00000000), ref: 00B8DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B8DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B8DAB9

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 662fc3b047c52d0f2ae50464593111b872fc01856d43153aa4e0ed0a36fe7a17
Instruction ID: c3855d514cb6bb2fd2252b3c93d0051f0d9a46925db0af814d7db7cf436cc4d5
Opcode Fuzzy Hash: 662fc3b047c52d0f2ae50464593111b872fc01856d43153aa4e0ed0a36fe7a17
Instruction Fuzzy Hash: F6018BF29002087FE751E7A49D89EFB376CD708701F400596B706E3051EAB49D848F74

Function 00B9096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00F7E230,00F7E230), ref: 00B9097B
EnterCriticalSection.KERNEL32(00F7E210,00000000), ref: 00B9098D
TerminateThread.KERNEL32(?,000001F6), ref: 00B9099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00B909A9
CloseHandle.KERNEL32(?), ref: 00B909B8
InterlockedExchange.KERNEL32(00F7E230,000001F6), ref: 00B909C8
LeaveCriticalSection.KERNEL32(00F7E210), ref: 00B909CF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ff81f6f22996db380f98c3e61ee3230253e6e2f15b5fa9bb1e17fe83e906d95a
Instruction ID: f27c0f91d02d1dd5caef6a9914f43175428f19abd2c20012cbfa3d2716d5e23c
Opcode Fuzzy Hash: ff81f6f22996db380f98c3e61ee3230253e6e2f15b5fa9bb1e17fe83e906d95a
Instruction Fuzzy Hash: 93F03131442512BFDB459F94EE8CBD67F75FF01702F501126F101518A0CBB49865CF90

Function 00B25D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B25D30
GetWindowRect.USER32(?,?), ref: 00B25D71
ScreenToClient.USER32(?,?), ref: 00B25D99
GetClientRect.USER32(?,?), ref: 00B25ED7
GetWindowRect.USER32(?,?), ref: 00B25EF8

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a017d2edafb7efc8444c82ce1d9abb35b9dc7f32c4cbbada86ad88d9b4327d2d
Instruction ID: ef890d180651bb47c6e453f2a7da6f3c8e52cbcd08130b2de9b4dfaec842611a
Opcode Fuzzy Hash: a017d2edafb7efc8444c82ce1d9abb35b9dc7f32c4cbbada86ad88d9b4327d2d
Instruction Fuzzy Hash: CFB17734A00A4ADFDB24DFA9C4807EEB7F1FF58310F14855AE8AAD7250DB34AA51DB50

Function 00B501B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B500BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B500D6
__allrem.LIBCMT ref: 00B500ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B5010B
__allrem.LIBCMT ref: 00B50122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B50140

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: b8291c8499bb12b7b946eb2de05c4f2e86cd8702b08461674aba44173b377354
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: EC810872A01B069BE720AF28CC41B6B73E8EF45325F2845FAF951D76C1E7B0DA089751

Function 00BA1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00BA101C,00000000,?,?,00000000), ref: 00BA3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00BA1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00BA1DE1
WSAGetLastError.WSOCK32 ref: 00BA1DF2
inet_ntoa.WSOCK32(?), ref: 00BA1E8C
htons.WSOCK32(?,?,?,?,?), ref: 00BA1EDB
_strlen.LIBCMT ref: 00BA1F35

Part of subcall function 00B839E8: _strlen.LIBCMT ref: 00B839F2

Part of subcall function 00B26D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00B3CF58,?,?,?), ref: 00B26DBA
Part of subcall function 00B26D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00B3CF58,?,?,?), ref: 00B26DED

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 22752391fc0ce0f9a145afed7b0173ede5a7265e04b1eb993d857bfac68fd7df
Instruction ID: 8b7c18d2e7fa92c8718351ef91ecfc3a656ae9a991de5ae01e1b169e0c5b5454
Opcode Fuzzy Hash: 22752391fc0ce0f9a145afed7b0173ede5a7265e04b1eb993d857bfac68fd7df
Instruction Fuzzy Hash: B7A1E131508350AFC324EF28C895F2A7BE5EF85318F54899CF45A5B2A2CB71ED46CB91

Function 00B561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B482D9,00B482D9,?,?,?,00B5644F,00000001,00000001,8BE85006), ref: 00B56258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B5644F,00000001,00000001,8BE85006,?,?,?), ref: 00B562DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B563D8
__freea.LIBCMT ref: 00B563E5

Part of subcall function 00B53820: RtlAllocateHeap.NTDLL(00000000,?,00BF1444,?,00B3FDF5,?,?,00B2A976,00000010,00BF1440,00B213FC,?,00B213C6,?,00B21129), ref: 00B53852

__freea.LIBCMT ref: 00B563EE
__freea.LIBCMT ref: 00B56413

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: c8783e6f4c7c90df99b96f519c9b7a647f65a31f72350f6860d178b22a5bcd10
Instruction ID: 7a84f9aa4242f39e3bb8f3e5c9e6acbb47aa072b1d6033eb5c109a55a3674338
Opcode Fuzzy Hash: c8783e6f4c7c90df99b96f519c9b7a647f65a31f72350f6860d178b22a5bcd10
Instruction Fuzzy Hash: 2E51D072A00216ABEB258F68DC81FAF7BE9EB48751F5446E9FC05E7140EB34DC48C664

Function 00BABBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

Part of subcall function 00BAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BAB6AE,?,?), ref: 00BAC9B5
Part of subcall function 00BAC998: _wcslen.LIBCMT ref: 00BAC9F1
Part of subcall function 00BAC998: _wcslen.LIBCMT ref: 00BACA68
Part of subcall function 00BAC998: _wcslen.LIBCMT ref: 00BACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BABCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BABD25
RegCloseKey.ADVAPI32(00000000), ref: 00BABD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BABD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BABDF3
RegCloseKey.ADVAPI32(?), ref: 00BABDFF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 4e723de716d544cb7afd418d2ba7a601b9fe06123de877c3449b56b6c7057935
Instruction ID: e039e63b93970a9312f40c6c12c95c2f40fc2a36216fec9fc200b5b147755415
Opcode Fuzzy Hash: 4e723de716d544cb7afd418d2ba7a601b9fe06123de877c3449b56b6c7057935
Instruction Fuzzy Hash: B6819271118241EFD714DF24C895E2ABBE5FF85308F1489ACF4A94B2A2DB31ED45CB92

Function 00B7F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00B7F7B9
SysAllocString.OLEAUT32(00000001), ref: 00B7F860
VariantCopy.OLEAUT32(00B7FA64,00000000), ref: 00B7F889
VariantClear.OLEAUT32(00B7FA64), ref: 00B7F8AD
VariantCopy.OLEAUT32(00B7FA64,00000000), ref: 00B7F8B1
VariantClear.OLEAUT32(?), ref: 00B7F8BB

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 0d69e29d694c72ae2e4a175dd07f201dd50e7bbffa1e7e86f2b3b594f4358a9a
Instruction ID: b3c2bc6b01e6e5298daf02e452b9d3c732d1d855c478708ba901281eb2525839
Opcode Fuzzy Hash: 0d69e29d694c72ae2e4a175dd07f201dd50e7bbffa1e7e86f2b3b594f4358a9a
Instruction Fuzzy Hash: 5051A331514312AACF24AB65D895B79B3E4EF45310F24D4E6E919EF291DB70CC40C7AA

Function 00B9910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00B27620: _wcslen.LIBCMT ref: 00B27625

Part of subcall function 00B26B57: _wcslen.LIBCMT ref: 00B26B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00B994E5
_wcslen.LIBCMT ref: 00B99506
_wcslen.LIBCMT ref: 00B9952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00B99585

Strings

X, xrefs: 00B99412

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 16712bf87adb93231f28c8e7906b3279c36f7ef89ef34cd9379d0520bee16721
Instruction ID: 0624303bcad7f7911b5a9409945b3546f20bef8117002052151c1d0dd1bc58ff
Opcode Fuzzy Hash: 16712bf87adb93231f28c8e7906b3279c36f7ef89ef34cd9379d0520bee16721
Instruction Fuzzy Hash: B1E1BF315083509FDB64DF28D881A6AB7E4FF94310F0489BDF8899B2A2DB31DD05CB92

Function 00B3920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B39BB2

BeginPaint.USER32(?,?,?), ref: 00B39241
GetWindowRect.USER32(?,?), ref: 00B392A5
ScreenToClient.USER32(?,?), ref: 00B392C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B392D3
EndPaint.USER32(?,?,?,?,?), ref: 00B39321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00B771EA

Part of subcall function 00B39339: BeginPath.GDI32(00000000), ref: 00B39357

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 918b1957f6d844a0c64cc90806e69be7c24cc29222536ad23e6f29442657e0b1
Instruction ID: 30b3fff88eb1ab87951e3dd019063396b8b0a8594bdf1eba84fe4630eeb3d941
Opcode Fuzzy Hash: 918b1957f6d844a0c64cc90806e69be7c24cc29222536ad23e6f29442657e0b1
Instruction Fuzzy Hash: 7A41AD70108200EFD711DF29CC84FBA7BE8EF55320F244AA9F9A5972E1CBB19845DB61

Function 00B907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B9080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00B90847
EnterCriticalSection.KERNEL32(?), ref: 00B90863
LeaveCriticalSection.KERNEL32(?), ref: 00B908DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00B908F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B90921

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 7b464460a9740a0e3b409c3152cb01edcb2e3ae6d5c458cfeeb75bc1ddc0d53d
Instruction ID: 3f1e4296f134bff51db4536e89256d40dbd3d19bf02e736c823f5e8d8ca1ff38
Opcode Fuzzy Hash: 7b464460a9740a0e3b409c3152cb01edcb2e3ae6d5c458cfeeb75bc1ddc0d53d
Instruction Fuzzy Hash: 4D415771A10206AFDF14EF54DC85AAA7BB8FF04300F1440B9ED00AB296DB70DE60DBA0

Function 00BB81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00B7F3AB,00000000,?,?,00000000,?,00B7682C,00000004,00000000,00000000), ref: 00BB824C
EnableWindow.USER32(?,00000000), ref: 00BB8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00BB82D1
ShowWindow.USER32(?,00000004), ref: 00BB82E5
EnableWindow.USER32(?,00000001), ref: 00BB830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00BB832F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 08bba3d875cdea9d76a8adada4648121bd8ba16c2b93cc80e7c67f73f40e3ccf
Instruction ID: c8fce94498643fc67504b39a41ec2a582cbd278b728225ad50c382a5f66d2299
Opcode Fuzzy Hash: 08bba3d875cdea9d76a8adada4648121bd8ba16c2b93cc80e7c67f73f40e3ccf
Instruction Fuzzy Hash: A4416134601644EFDB16CF15D899BF47BE5FB4A714F1842E9E5084B262CBB1AC41CF94

Function 00B84C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B84C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B84CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B84CEA
_wcslen.LIBCMT ref: 00B84D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B84D10
_wcsstr.LIBVCRUNTIME ref: 00B84D1A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 296728d77c2e91a289ce896bc2aba84bc8052cffe2bb1642d740c3e9c227bcc6
Instruction ID: 8e6c26877349ca45848a784237be146a02b50acc32bd6905e61701dc3c943923
Opcode Fuzzy Hash: 296728d77c2e91a289ce896bc2aba84bc8052cffe2bb1642d740c3e9c227bcc6
Instruction Fuzzy Hash: CC21B372604216BBEB15AB299C49E7B7BDCDB45750F1040B9F805CB1A1EBA19D01D7A0

Function 00B9581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B23A97,?,?,00B22E7F,?,?,?,00000000), ref: 00B23AC2

_wcslen.LIBCMT ref: 00B9587B
CoInitialize.OLE32(00000000), ref: 00B95995
CoCreateInstance.OLE32(00BBFCF8,00000000,00000001,00BBFB68,?), ref: 00B959AE
CoUninitialize.OLE32 ref: 00B959CC

Strings

.lnk, xrefs: 00B95876, 00B958C1, 00B95985

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 5fc556559de6cedb1543ae3ec7d085c18238abd3212070589bfe0375128ff4f9
Instruction ID: e1bff913a5959f033ac4a917e6cfde88bcec110fdc2e2612ec44a72c4275cd6c
Opcode Fuzzy Hash: 5fc556559de6cedb1543ae3ec7d085c18238abd3212070589bfe0375128ff4f9
Instruction Fuzzy Hash: A4D173716487119FCB24DF24C480A2ABBE5FF89710F1488ADF8899B361DB31ED45CB92

Function 00B8175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B80FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B80FCA
Part of subcall function 00B80FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B80FD6
Part of subcall function 00B80FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B80FE5
Part of subcall function 00B80FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B80FEC
Part of subcall function 00B80FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B81002

GetLengthSid.ADVAPI32(?,00000000,00B81335), ref: 00B817AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B817BA
HeapAlloc.KERNEL32(00000000), ref: 00B817C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B817DA
GetProcessHeap.KERNEL32(00000000,00000000,00B81335), ref: 00B817EE
HeapFree.KERNEL32(00000000), ref: 00B817F5

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d3570a3d9eb503533d458a7f14aa737731e5b07f776375477aa9888824ce6c7f
Instruction ID: 6587f66022ca605b49e37d9495607afd65dd4ac9a87fb7ed9735371f53120919
Opcode Fuzzy Hash: d3570a3d9eb503533d458a7f14aa737731e5b07f776375477aa9888824ce6c7f
Instruction Fuzzy Hash: C011DCB6502204EFDB10EFA8DC48BAE7BECEB41355F10499DF581A7220CB75AD01CB60

Function 00B814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B814FF
OpenProcessToken.ADVAPI32(00000000), ref: 00B81506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B81515
CloseHandle.KERNEL32(00000004), ref: 00B81520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B8154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00B81563

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d5ab566344b7931f22991483db8c8ccbc8df7908b785d43aaabd07736f3ac490
Instruction ID: ffb97f56a201eb4bb74234afac93ee4343ea18d6ea626d3b746e94ea5d0ccdb6
Opcode Fuzzy Hash: d5ab566344b7931f22991483db8c8ccbc8df7908b785d43aaabd07736f3ac490
Instruction Fuzzy Hash: AA115672505209ABDF11DFA8ED49FDE7BADEF48704F044164FA05A2160C7B1CE61DB60

Function 00B43382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B43379,00B42FE5), ref: 00B43390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B4339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B433B7
SetLastError.KERNEL32(00000000,?,00B43379,00B42FE5), ref: 00B43409

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 118e082bdfd02f0bb9cc34ef6239c7f4ed70865a28b4e1835e5d96abc3a60626
Instruction ID: ec87e62b9c7b116767930fb3b5f51aaa5291f8642766ce776719eb77703ed606
Opcode Fuzzy Hash: 118e082bdfd02f0bb9cc34ef6239c7f4ed70865a28b4e1835e5d96abc3a60626
Instruction Fuzzy Hash: F001D83360D312BFAA192BB47CC56562ED4EB05F7972802A9F420862F2EF614F027548

Function 00B52D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B55686,00B63CD6,?,00000000,?,00B55B6A,?,?,?,?,?,00B4E6D1,?,00BE8A48), ref: 00B52D78
_free.LIBCMT ref: 00B52DAB
_free.LIBCMT ref: 00B52DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00B4E6D1,?,00BE8A48,00000010,00B24F4A,?,?,00000000,00B63CD6), ref: 00B52DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00B4E6D1,?,00BE8A48,00000010,00B24F4A,?,?,00000000,00B63CD6), ref: 00B52DEC
_abort.LIBCMT ref: 00B52DF2

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a4cf91b09944c3dec2f28ac2448e0cd7a7d0434bb0d65682b4d3d3a08c11aefb
Instruction ID: 6d06b69ea660eab325c2ff8826a1c0f3d6757a56021130263d947ac1769c3a0a
Opcode Fuzzy Hash: a4cf91b09944c3dec2f28ac2448e0cd7a7d0434bb0d65682b4d3d3a08c11aefb
Instruction Fuzzy Hash: 45F0A436506A0027D2126734AC06F5A2AF9EFC37A3F2445F9FC24A32E2EF75880E4161

Function 00BB8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B39639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B39693
Part of subcall function 00B39639: SelectObject.GDI32(?,00000000), ref: 00B396A2
Part of subcall function 00B39639: BeginPath.GDI32(?), ref: 00B396B9
Part of subcall function 00B39639: SelectObject.GDI32(?,00000000), ref: 00B396E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00BB8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00BB8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00BB8A70
LineTo.GDI32(?,00000000,00000003), ref: 00BB8A80
EndPath.GDI32(?), ref: 00BB8A90
StrokePath.GDI32(?), ref: 00BB8AA0

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2165e291293298e59e0f4903b504748d780d1ea9c53ca1c41bb627d0a2079661
Instruction ID: f07c62818eab721494fdedf5e0252d682896078e2d41c5007639ddba1b4dc39a
Opcode Fuzzy Hash: 2165e291293298e59e0f4903b504748d780d1ea9c53ca1c41bb627d0a2079661
Instruction Fuzzy Hash: 36110976400109FFDB129F94DC88EAA7FACEB08350F008552BA199A1A1CBB19D55DFA0

Function 00B851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B85218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B85229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B85230
ReleaseDC.USER32(00000000,00000000), ref: 00B85238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B8524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00B85261

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: dd7582bbede7af5d533088120d5dd2915e1ec256ce4398f78d8e314ee07ad70c
Instruction ID: 804cbea65267dcb8129f1f4d15991dba45c729e98ccd3f93575f9f2fa5f8550d
Opcode Fuzzy Hash: dd7582bbede7af5d533088120d5dd2915e1ec256ce4398f78d8e314ee07ad70c
Instruction Fuzzy Hash: 0E016275E01719BBEB10AFA99C49E5EBFB8EF48751F044165FA05EB291DA709C00CFA0

Function 00B21BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B21BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B21BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B21C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B21C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B21C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B21C22

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fbe3737025139df3236d31eb801a4d8ae7e0412825a4c040807432125e879cfc
Instruction ID: ec2de0c06490d2939ac7150a3486b0e744a5fc89fed9bb01311647c4e8a2fcea
Opcode Fuzzy Hash: fbe3737025139df3236d31eb801a4d8ae7e0412825a4c040807432125e879cfc
Instruction Fuzzy Hash: 0D0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00B8EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B8EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B8EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00B8EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B8EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B8EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B8EB75

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a6caec4a5e8b404c4ff07531c4adf9e09f3f8e8d4e3a2123ef62723686980ebc
Instruction ID: e521c1452aa02cfbb612fc207e2b2ab3b7b6e75926b7c84e7c91b717cb696f50
Opcode Fuzzy Hash: a6caec4a5e8b404c4ff07531c4adf9e09f3f8e8d4e3a2123ef62723686980ebc
Instruction Fuzzy Hash: 88F01D72140158BBE6219B529C0DEEB3E7CEBCAB11F000259F612E2091ABE05A01C6B5

Function 00B77439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00B77452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00B77469
GetWindowDC.USER32(?), ref: 00B77475
GetPixel.GDI32(00000000,?,?), ref: 00B77484
ReleaseDC.USER32(?,00000000), ref: 00B77496
GetSysColor.USER32(00000005), ref: 00B774B0

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 9cd8a9f5cf86113d8f1c08b55677dfc4e25c381da9bbe1fce4c618e5ec96d904
Instruction ID: ce5199457cce19be8be36fd5d11c70400674fa4601a19391b635ae9ddf16ff11
Opcode Fuzzy Hash: 9cd8a9f5cf86113d8f1c08b55677dfc4e25c381da9bbe1fce4c618e5ec96d904
Instruction Fuzzy Hash: 26014B31404215EFDB519F64DC09FAA7FB5FB04311F6146A4F92AA31A1CFB11E51EB50

Function 00B81874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B8187F
UnloadUserProfile.USERENV(?,?), ref: 00B8188B
CloseHandle.KERNEL32(?), ref: 00B81894
CloseHandle.KERNEL32(?), ref: 00B8189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00B818A5
HeapFree.KERNEL32(00000000), ref: 00B818AC

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f317dbf43fa4ade7afee5deff55db427907c067a7b57900902f42f42c0708692
Instruction ID: 18661a349d821c2154458370bba0f5efb16930e39b4dad7f043259889c333e30
Opcode Fuzzy Hash: f317dbf43fa4ade7afee5deff55db427907c067a7b57900902f42f42c0708692
Instruction Fuzzy Hash: 74E0E576004101BBDB019FA6ED0C90ABF79FF49B22B508321F225A2070CFB29420DF60

Function 00B8C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B27620: _wcslen.LIBCMT ref: 00B27625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B8C6EE
_wcslen.LIBCMT ref: 00B8C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B8C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B8C7CA

Strings

0, xrefs: 00B8C6AF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 4a07c6a03b7df2b0cdbca9f559e3bc1e376c17cd7c6c9b586e09ba9e7ad5dc18
Instruction ID: 6616549b2af56accb27a994c3f20b7729be968cbf1807bdf1e3629b799068ba7
Opcode Fuzzy Hash: 4a07c6a03b7df2b0cdbca9f559e3bc1e376c17cd7c6c9b586e09ba9e7ad5dc18
Instruction Fuzzy Hash: D051DEB56143019BD715AF28C885A7BBBE8EF49310F040AA9FA95D31B1EB70DD04CB66

Function 00BAAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00BAAEA3

Part of subcall function 00B27620: _wcslen.LIBCMT ref: 00B27625

GetProcessId.KERNEL32(00000000), ref: 00BAAF38
CloseHandle.KERNEL32(00000000), ref: 00BAAF67

Strings

@, xrefs: 00BAAE72
<, xrefs: 00BAAE6B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: b01aa61d5446528c62ad91f4b138b8a1d612b076935e42c72d5cc2ff21de4e8f
Instruction ID: 6de51c30469224012b570a0488a0dbe48fcf7cc76e5086fcd294e43b4065d671
Opcode Fuzzy Hash: b01aa61d5446528c62ad91f4b138b8a1d612b076935e42c72d5cc2ff21de4e8f
Instruction Fuzzy Hash: BB718A70A04229DFCB14EF54D494A9EBBF0FF09300F148499E85AAB392CB75ED45CBA1

Function 00B8719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B87206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B8723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B8724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B872CF

Strings

DllGetClassObject, xrefs: 00B87242

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 9f6bc5e493b6b075146dc48ad79feac79ae5030f8265d6e0f8574114b6657ce3
Instruction ID: 9fa2a2a2de8ea4defca3af5bd010b8ee1d167f04780f15dba23d078f2dbf758c
Opcode Fuzzy Hash: 9f6bc5e493b6b075146dc48ad79feac79ae5030f8265d6e0f8574114b6657ce3
Instruction Fuzzy Hash: E6415F71644204EFDB15DF54C884A9A7FE9EF45318F2480EDBD09AF22ADBB1D944CBA0

Function 00BB3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BB3E35
IsMenu.USER32(?), ref: 00BB3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BB3E92
DrawMenuBar.USER32 ref: 00BB3EA5

Strings

0, xrefs: 00BB3D89

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: e5c9e97e82004a12de1692f2747e46d87187c0997d0dbf36d93d05520b59ef72
Instruction ID: 43b09fb74ca9eb31c6856cce2b47db09517b5aae9060df23a77fc00b16066ab4
Opcode Fuzzy Hash: e5c9e97e82004a12de1692f2747e46d87187c0997d0dbf36d93d05520b59ef72
Instruction Fuzzy Hash: E4413875A00209EFDB10DF54D884AEABBF5FF48750F0441AAE905AB250D7B0EE45CB60

Function 00B81DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

Part of subcall function 00B83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B83CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B81E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B81E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B81EA9

Part of subcall function 00B26B57: _wcslen.LIBCMT ref: 00B26B6A

Strings

ListBox, xrefs: 00B81E25
ComboBox, xrefs: 00B81DF0

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: eb47f7a2ac023ae76c58a350d8ff123794cc927a10fd740317ff67cb2c30a01c
Instruction ID: 604d8e7e98fd080eb5423d8b6a151ff9d13bcce1eff8b70216f5512b03b0248b
Opcode Fuzzy Hash: eb47f7a2ac023ae76c58a350d8ff123794cc927a10fd740317ff67cb2c30a01c
Instruction Fuzzy Hash: F221B471A01104ABDB14AB68EC46CFFBBECDF45354F144599F81AA71F1DB744906D720

Function 00BAC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BAC9F1
_wcslen.LIBCMT ref: 00BACA68
_wcslen.LIBCMT ref: 00BACA9E
_wcslen.LIBCMT ref: 00BACAF9
_wcslen.LIBCMT ref: 00BACB2F
_wcslen.LIBCMT ref: 00BACB7F

Strings

HKLM, xrefs: 00BACA98, 00BACA9D
HKEY_LOCAL_MACHINE, xrefs: 00BACA62, 00BACA67

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 11d1ef2d414171613252895d70645fd5e3c627a1aa0210f2d807424a61135113
Instruction ID: 4eafe09c6a7b54282e6d701da59b9fc034bfa29f05669e344da934ff02ab94cc
Opcode Fuzzy Hash: 11d1ef2d414171613252895d70645fd5e3c627a1aa0210f2d807424a61135113
Instruction Fuzzy Hash: C1310433A0856E8BCB20DF6DD8405BE3BD1DBA3794B1540E9E845AB25DEB70CE40D3A0

Function 00BB2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BB2F8D
LoadLibraryW.KERNEL32(?), ref: 00BB2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BB2FA9
DestroyWindow.USER32(?), ref: 00BB2FB1

Strings

SysAnimate32, xrefs: 00BB2F68

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 3f02f0e2843c5d366654f0e4303cd7e583cbc8686ab463542beb6f4522ec156b
Instruction ID: 865b66be83a609daca56efaa3ab69897e18053ed72febf7dce035ffa7ae12b2b
Opcode Fuzzy Hash: 3f02f0e2843c5d366654f0e4303cd7e583cbc8686ab463542beb6f4522ec156b
Instruction Fuzzy Hash: 88216772204209ABEF108FA4DC84EFB77F9EB69364F104668FA50D71A0DBB1DC919760

Function 00B44D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B44D1E,00B528E9,?,00B44CBE,00B528E9,00BE88B8,0000000C,00B44E15,00B528E9,00000002), ref: 00B44D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B44DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00B44D1E,00B528E9,?,00B44CBE,00B528E9,00BE88B8,0000000C,00B44E15,00B528E9,00000002,00000000), ref: 00B44DC3

Strings

CorExitProcess, xrefs: 00B44D98
mscoree.dll, xrefs: 00B44D86

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b69730eb5197ee8f498a30fa55d978d16f8b61b9bcc5fd079dc542c6e69ba200
Instruction ID: a6dced2f9d59029f86b55974d9416757ab17a7a101a06de812e8f6728dcf4082
Opcode Fuzzy Hash: b69730eb5197ee8f498a30fa55d978d16f8b61b9bcc5fd079dc542c6e69ba200
Instruction Fuzzy Hash: 6CF04F35A50208BBDB159F94DC49BAEBFF9EF44751F0001A9F909A3260CFB05E50DA90

Function 00B24E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B24EDD,?,00BF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B24E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B24EAE
FreeLibrary.KERNEL32(00000000,?,?,00B24EDD,?,00BF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B24EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00B24EA8
kernel32.dll, xrefs: 00B24E94

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 12f16969b283de44661549aeac498758bba817ec2c6d9ebc383561e3d453e4c8
Instruction ID: c64832ea107eaca6ca936e2dc4dc6a511fea7fa1abb08d85d1cafe389b72121e
Opcode Fuzzy Hash: 12f16969b283de44661549aeac498758bba817ec2c6d9ebc383561e3d453e4c8
Instruction Fuzzy Hash: BDE08635A016325BA2316729BC18B6F69D8EF81F627060295FC08F3210DFE4CD0280A0

Function 00B24E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B63CDE,?,00BF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B24E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B24E74
FreeLibrary.KERNEL32(00000000,?,?,00B63CDE,?,00BF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B24E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00B24E6E
kernel32.dll, xrefs: 00B24E5B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 4e339113e881445fdb47d5a28a950fea94e0aa01c1737b2ef9e31db08c1181f0
Instruction ID: 3f7c328a5cac7aaa3d7c9af81b9f2a3e37f82070620ec635564b570599f851cc
Opcode Fuzzy Hash: 4e339113e881445fdb47d5a28a950fea94e0aa01c1737b2ef9e31db08c1181f0
Instruction Fuzzy Hash: E3D01235502632576A366B297C1CE9F6E98EF85F513060A95F909B7134CFE0CD03C5E0

Function 00B92947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B92C05
DeleteFileW.KERNEL32(?), ref: 00B92C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B92C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B92CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B92CC0

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: e4fbe12dd39bc4f920c221bf29e54d62ab10872d2c114384f1affa8879978509
Instruction ID: 970426b94c533159dfce00d7ddc8ba0147d4284a5f52892039ce7db97aed1a2f
Opcode Fuzzy Hash: e4fbe12dd39bc4f920c221bf29e54d62ab10872d2c114384f1affa8879978509
Instruction Fuzzy Hash: 81B11A72D00129ABDF25DBA4CC85EEEBBFDEF49350F1040E6F609E6151EA709E448B61

Function 00BAA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00BAA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BAA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BAA468
CloseHandle.KERNEL32(?), ref: 00BAA63D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 52937087e040fc88778c0941dc2a25bab6ea331fc20f798ecde6b07db0ed5180
Instruction ID: 4c71506c51ec0f727a7d163bb66914b5a73029568852d781ea2a80a65525d2e7
Opcode Fuzzy Hash: 52937087e040fc88778c0941dc2a25bab6ea331fc20f798ecde6b07db0ed5180
Instruction Fuzzy Hash: 79A1AF716043009FD720DF28D896F2AB7E5AF88714F14889DF55A9B392DBB0EC45CB92

Function 00B8E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B8CF22,?), ref: 00B8DDFD

Part of subcall function 00B8DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B8CF22,?), ref: 00B8DE16

Part of subcall function 00B8E199: GetFileAttributesW.KERNEL32(?,00B8CF95), ref: 00B8E19A

lstrcmpiW.KERNEL32(?,?), ref: 00B8E473
MoveFileW.KERNEL32(?,?), ref: 00B8E4AC
_wcslen.LIBCMT ref: 00B8E5EB
_wcslen.LIBCMT ref: 00B8E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00B8E650

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 092190b5d5411ef6e3553d2329f7ea7c54d63d459c4822a063798421f3947f76
Instruction ID: 5a04a5c4ce884f6ebf0f2145bb1dbf2f9b6236e881eaf2d3c919a3c9e150ff6f
Opcode Fuzzy Hash: 092190b5d5411ef6e3553d2329f7ea7c54d63d459c4822a063798421f3947f76
Instruction Fuzzy Hash: D1515FB24083459BC724EBA4D8819DFB3ECEF84340F04496EF599931A1EF74E688C766

Function 00BAB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

Part of subcall function 00BAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BAB6AE,?,?), ref: 00BAC9B5
Part of subcall function 00BAC998: _wcslen.LIBCMT ref: 00BAC9F1
Part of subcall function 00BAC998: _wcslen.LIBCMT ref: 00BACA68
Part of subcall function 00BAC998: _wcslen.LIBCMT ref: 00BACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BABAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BABB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BABB63
RegCloseKey.ADVAPI32(?,?), ref: 00BABBA6
RegCloseKey.ADVAPI32(00000000), ref: 00BABBB3

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 0e5bb6208384836afd8a0c283139e8d44d6d4447950b8c381ac5a302c9388b16
Instruction ID: e7b81c1f3cd74199dc926338f081030ca39ca6bd71afa60a06972bd73f96bbc5
Opcode Fuzzy Hash: 0e5bb6208384836afd8a0c283139e8d44d6d4447950b8c381ac5a302c9388b16
Instruction Fuzzy Hash: C861813120C241AFD714DF14C491E2ABBE5FF85348F54899CF4A98B2A2DB31ED45CB92

Function 00B88BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B88BCD
VariantClear.OLEAUT32 ref: 00B88C3E
VariantClear.OLEAUT32 ref: 00B88C9D
VariantClear.OLEAUT32(?), ref: 00B88D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B88D3B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 09ca86df163548d1c44c0fbb07816cd7c9fbcb3aeac2be0cada91d4f2fea0ee1
Instruction ID: be4bf66f97f61bd95538bc2e14837c68ab6c8cc9973bf078f460c632d9f592d4
Opcode Fuzzy Hash: 09ca86df163548d1c44c0fbb07816cd7c9fbcb3aeac2be0cada91d4f2fea0ee1
Instruction Fuzzy Hash: 24516CB5A00219EFCB14DF58C894AAAB7F5FF89310B158569F905DB354EB30E911CF90

Function 00B98AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B98BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00B98BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B98C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B98C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B98C5F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 4164c2bf1855759b091d442deb1418524b2f6137e340cfee030e37ec032ebd8a
Instruction ID: a718fb9009d0e7e1577dedd4673c933f27b698f52c8d03c9614aeafe7af6f3b0
Opcode Fuzzy Hash: 4164c2bf1855759b091d442deb1418524b2f6137e340cfee030e37ec032ebd8a
Instruction Fuzzy Hash: E0513A35A002199FCF05DF64D881A6DBBF5FF49314F0884A8E849AB362DB35ED51CB90

Function 00BA8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00BA8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00BA8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00BA8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00BA9032
FreeLibrary.KERNEL32(00000000), ref: 00BA9052

Part of subcall function 00B3F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00B91043,?,753CE610), ref: 00B3F6E6
Part of subcall function 00B3F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00B7FA64,00000000,00000000,?,?,00B91043,?,753CE610,?,00B7FA64), ref: 00B3F70D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3356f631ceb777568390d62225feae8d8e457a3bea989f9071c54d2d15b5e8d0
Instruction ID: ebbfae5c9ffcbe7b0d0a4bbd1c668b0b9bbe46eac9c4c7c4d56b21b4d00891c4
Opcode Fuzzy Hash: 3356f631ceb777568390d62225feae8d8e457a3bea989f9071c54d2d15b5e8d0
Instruction Fuzzy Hash: 52512734604215DFC711DF58C4948ADBBF1FF4A314B0880E8E80AAB762DB31ED85CB90

Function 00BB6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00BB6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00BB6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00BB6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00B9AB79,00000000,00000000), ref: 00BB6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00BB6CC7

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: a59ccd0eb14aefc2891c0164f16e729415b1491ebcef2c81db64cfc20855e5e2
Instruction ID: 3e7608b9a662ebb778899c8bd7e5300b51fea3c183096faecdac385109c43e24
Opcode Fuzzy Hash: a59ccd0eb14aefc2891c0164f16e729415b1491ebcef2c81db64cfc20855e5e2
Instruction Fuzzy Hash: 69419F35A04104AFDB24CF28CC99FF97FE5EB09350F1506A8E999A72A0C7F5AD41CA90

Function 00B52051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B520C3
_free.LIBCMT ref: 00B520E3

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dd8366bf11fce6628f73ef01924ce02b51a9a73a40818245fedfc3fc59032acb
Instruction ID: b591c26f82aeb3cf4423f60f068e3534318b2d241be18d087485b6c156e61b84
Opcode Fuzzy Hash: dd8366bf11fce6628f73ef01924ce02b51a9a73a40818245fedfc3fc59032acb
Instruction Fuzzy Hash: C241C332A012109FCB24DF78C981B5EB7E5EF8A314F1545E8E915EB392DB31AD05CB80

Function 00B3912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B39141
ScreenToClient.USER32(00000000,?), ref: 00B3915E
GetAsyncKeyState.USER32(00000001), ref: 00B39183
GetAsyncKeyState.USER32(00000002), ref: 00B3919D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: b2af199439231c2f732ceaee2e348e8904b65385447cc3795bb8bf6b8c0ee2e9
Instruction ID: 40ba5cfb2ce51273d4a3ead2258bb80d639e05b933e19e5b057b02d4b2c044ba
Opcode Fuzzy Hash: b2af199439231c2f732ceaee2e348e8904b65385447cc3795bb8bf6b8c0ee2e9
Instruction Fuzzy Hash: D7414F31A0861ABBDF159F64C844BEEBBB4FB05320F2082A5E439B7290CB706D54CF91

Function 00B93874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B938CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00B93922
TranslateMessage.USER32(?), ref: 00B9394B
DispatchMessageW.USER32(?), ref: 00B93955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B93966

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 732bb717ae7be794ae1c9d2878bb5d1a018c65be42d3b1f810f2a9c2bb8e8c93
Instruction ID: 25d0aef82729af29bc5dde97db7ecf3e3e3b60a9f63bad2ec0ad1ab9d75a3fed
Opcode Fuzzy Hash: 732bb717ae7be794ae1c9d2878bb5d1a018c65be42d3b1f810f2a9c2bb8e8c93
Instruction Fuzzy Hash: 01319570504341DFEF35CB359889BB63BE8EB15704F0409B9E467871A0EBF49A85CB21

Function 00B9CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00B9C21E,00000000), ref: 00B9CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00B9CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00B9C21E,00000000), ref: 00B9CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00B9C21E,00000000), ref: 00B9CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00B9C21E,00000000), ref: 00B9CFF2

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 7dd47da1ba00956d247b12ccda7a36e5f601947f12848a7ee32d349869cc5cbd
Instruction ID: 11293f67f46c379088274ba386db8f17e82b24f9b4fe6f05a2cf13b7412460dd
Opcode Fuzzy Hash: 7dd47da1ba00956d247b12ccda7a36e5f601947f12848a7ee32d349869cc5cbd
Instruction Fuzzy Hash: 0D314C71900205AFDF20DFA5C884AABBFF9EB14350B2044BEF506D3151DB70AE489B60

Function 00B81901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B81915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00B819C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00B819C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00B819DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00B819E2

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: daaa74b084b5f3dc1b0dbd27cdfd36c9f5a81e05c2fbbbe748c85ecf4747b41c
Instruction ID: 4203646acdb8cd1914d502d28e849462639126a96b5ee50a96a63207eecfa057
Opcode Fuzzy Hash: daaa74b084b5f3dc1b0dbd27cdfd36c9f5a81e05c2fbbbe748c85ecf4747b41c
Instruction Fuzzy Hash: 6931E271900219EFCB00DFACCD98AEE3BB9EB04314F104765F961A72E0C7B09946CB90

Function 00BB5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BB5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00BB579D
_wcslen.LIBCMT ref: 00BB57AF
_wcslen.LIBCMT ref: 00BB57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BB5816

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 1ac061ae7dc0c083278afa73846c39e706907215e740ad8ec057518a0d3392dd
Instruction ID: b4e94b17c48bfb6a5793acc6896c85c22e90d586adfac5fae2a727a3f854e04f
Opcode Fuzzy Hash: 1ac061ae7dc0c083278afa73846c39e706907215e740ad8ec057518a0d3392dd
Instruction Fuzzy Hash: A5218071904618ABDB309F65CC84BFD7BF8EB04724F108696E929AB184DBB09A85CF51

Function 00BA0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00BA0951
GetForegroundWindow.USER32 ref: 00BA0968
GetDC.USER32(00000000), ref: 00BA09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00BA09B0
ReleaseDC.USER32(00000000,00000003), ref: 00BA09E8

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: b852d0d9b13a86c6ace079ebebfdd5d16690bf2cb43ec346e5b70f7b638dda17
Instruction ID: fa75bd09db27b9cab25119b91803926b5770412a788ae0b3a3cb44306e1fab16
Opcode Fuzzy Hash: b852d0d9b13a86c6ace079ebebfdd5d16690bf2cb43ec346e5b70f7b638dda17
Instruction Fuzzy Hash: AC218135600214AFD704EF69D895EAEBBE9EF49700F0485ACF85AA7752CB70AC04CB50

Function 00B5CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B5CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B5CDE9

Part of subcall function 00B53820: RtlAllocateHeap.NTDLL(00000000,?,00BF1444,?,00B3FDF5,?,?,00B2A976,00000010,00BF1440,00B213FC,?,00B213C6,?,00B21129), ref: 00B53852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B5CE0F
_free.LIBCMT ref: 00B5CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B5CE31

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 6a35e1dc51749959b525947a324a4f839ae31afd4b73efa13c8aaaf8608d9b21
Instruction ID: 2167d77ee143f18ba893bb26129535783b1c2558a3b1e80c3a77da62e42f6cca
Opcode Fuzzy Hash: 6a35e1dc51749959b525947a324a4f839ae31afd4b73efa13c8aaaf8608d9b21
Instruction Fuzzy Hash: 7101D8726013157F23215A7A6C8AE7B6EEEDEC6BA231502E9FD05D7200DE619D0581B0

Function 00B39639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B39693
SelectObject.GDI32(?,00000000), ref: 00B396A2
BeginPath.GDI32(?), ref: 00B396B9
SelectObject.GDI32(?,00000000), ref: 00B396E2

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d0ce8a612815b6457df55718b7a7b140a8ad15e6dd90b8e26bf208a53d37083b
Instruction ID: 9436cb2667e2214c8b024cf05b7089cd3877ebaff01bebfaaa1a5db87c9f6f5c
Opcode Fuzzy Hash: d0ce8a612815b6457df55718b7a7b140a8ad15e6dd90b8e26bf208a53d37083b
Instruction Fuzzy Hash: 91213D70802205EBDB11DF6DDD557B93BA8FB50355F208A56F414A71A0DBF05892CFE4

Function 00B85711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B85726
_memcmp.LIBVCRUNTIME ref: 00B85744
_memcmp.LIBVCRUNTIME ref: 00B85757
_memcmp.LIBVCRUNTIME ref: 00B8576F
_memcmp.LIBVCRUNTIME ref: 00B85787

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5688f22c3733e48df28abbfbfad9ad8272e89e5be762e96b655c1fda8af4d39f
Instruction ID: f2fe3b2d6480f26da4b515f6b238cc9a264c966f419b6e7a183bcae7ca8891a5
Opcode Fuzzy Hash: 5688f22c3733e48df28abbfbfad9ad8272e89e5be762e96b655c1fda8af4d39f
Instruction Fuzzy Hash: AF019279B4160ABBE6286914DD82FFA63DCDB21394F4084A0FD049A251F660EE50D3A8

Function 00B52DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B4F2DE,00B53863,00BF1444,?,00B3FDF5,?,?,00B2A976,00000010,00BF1440,00B213FC,?,00B213C6), ref: 00B52DFD
_free.LIBCMT ref: 00B52E32
_free.LIBCMT ref: 00B52E59
SetLastError.KERNEL32(00000000,00B21129), ref: 00B52E66
SetLastError.KERNEL32(00000000,00B21129), ref: 00B52E6F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9d620bcf960fa5061f87b4f7e1677b8b568ed4191271e05686ae08542aa351c4
Instruction ID: 43be4d439c40cfefa4357ca43bb9fbd2aa9f0e4b7a22eb51ec13de882dee647e
Opcode Fuzzy Hash: 9d620bcf960fa5061f87b4f7e1677b8b568ed4191271e05686ae08542aa351c4
Instruction Fuzzy Hash: 8201F932107A0067C61267746C87F2B2AE9EFD37A7B2441E9FC21A3292EF709C0E4120

Function 00B8000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B7FF41,80070057,?,?,?,00B8035E), ref: 00B8002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B7FF41,80070057,?,?), ref: 00B80046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B7FF41,80070057,?,?), ref: 00B80054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B7FF41,80070057,?), ref: 00B80064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B7FF41,80070057,?,?), ref: 00B80070

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3f7223a89fac5bfe4be3b37c28760883ab46c90d6f7ca01a57551fc74b6b92c8
Instruction ID: 40b82b2470fd5c3960fbb23cc6b7f9b8c0d0ec71067fe53775921a6d1134c22a
Opcode Fuzzy Hash: 3f7223a89fac5bfe4be3b37c28760883ab46c90d6f7ca01a57551fc74b6b92c8
Instruction Fuzzy Hash: E3017872610208EFDB51AF68EC44BAA7EEDEF44792F144264F905D7220EBB1DD44DBA0

Function 00B8E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00B8E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00B8E9A5
Sleep.KERNEL32(00000000), ref: 00B8E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00B8E9B7
Sleep.KERNEL32 ref: 00B8E9F3

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a0545ee257742b3bf37a30742ce94585f519f34754dad122aaf29fcd815ccb94
Instruction ID: b3de9a4e333b7aefb648cc0c72d55434a9b8938cbbbb7530b224bdb7121bcb7e
Opcode Fuzzy Hash: a0545ee257742b3bf37a30742ce94585f519f34754dad122aaf29fcd815ccb94
Instruction Fuzzy Hash: 7D015731C01629DBCF00EBE8E859AEDBBB8FB08701F000686E552B2260CBB09550CBA1

Function 00B810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B81114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00B80B9B,?,?,?), ref: 00B81120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B80B9B,?,?,?), ref: 00B8112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B80B9B,?,?,?), ref: 00B81136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B8114D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 62e763c12a545d233e42ea864c2a967f411701166b321f6190abf7f26daecceb
Instruction ID: 9ff6f7adaf6bec18b7bb00129bb1e8fdbcbffba2627243737b98976bf49767e9
Opcode Fuzzy Hash: 62e763c12a545d233e42ea864c2a967f411701166b321f6190abf7f26daecceb
Instruction Fuzzy Hash: 5A016D75101205BFDB119F69DC4DAAA3FAEEF85360B200455FA41E3360DE71DC00CB60

Function 00B80FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B80FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B80FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B80FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B80FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B81002

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 722c2e0a5d04da7607b1ce51c2e532d312577aeaf4dd616362e073d4096707dc
Instruction ID: 66c18836298f51871731989b8f7fc42c8d920f1da3e7361235e2d0e8298b06a5
Opcode Fuzzy Hash: 722c2e0a5d04da7607b1ce51c2e532d312577aeaf4dd616362e073d4096707dc
Instruction Fuzzy Hash: 5EF0A975201301ABDB21AFA89C49F563FADEF89762F600825FA05E7260CEB0DC40CA60

Function 00B81014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B8102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B81036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B81045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B8104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B81062

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8eb03aa330e114da723fa0a52d80e76c9eac771a89d18fd8883ba6c6fff2f48c
Instruction ID: b6396b6a7fb3d03ab180a4cf1bc35f024d5170e0925223b307dfd78ef13c6f98
Opcode Fuzzy Hash: 8eb03aa330e114da723fa0a52d80e76c9eac771a89d18fd8883ba6c6fff2f48c
Instruction Fuzzy Hash: ACF04975201301ABDB21AFA8EC49F573FADEF89761F600925FA45E7260CEB0D841CA60

Function 00B9030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00B9017D,?,00B932FC,?,00000001,00B62592,?), ref: 00B90324
CloseHandle.KERNEL32(?,?,?,?,00B9017D,?,00B932FC,?,00000001,00B62592,?), ref: 00B90331
CloseHandle.KERNEL32(?,?,?,?,00B9017D,?,00B932FC,?,00000001,00B62592,?), ref: 00B9033E
CloseHandle.KERNEL32(?,?,?,?,00B9017D,?,00B932FC,?,00000001,00B62592,?), ref: 00B9034B
CloseHandle.KERNEL32(?,?,?,?,00B9017D,?,00B932FC,?,00000001,00B62592,?), ref: 00B90358
CloseHandle.KERNEL32(?,?,?,?,00B9017D,?,00B932FC,?,00000001,00B62592,?), ref: 00B90365

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ed560b97a90abf96535a8053e1039bb51da868f69294da7689944cef303f5b21
Instruction ID: ce21be9711a3eeaf06c1836cec97997260b35459c72de583666ddf94ac3f286f
Opcode Fuzzy Hash: ed560b97a90abf96535a8053e1039bb51da868f69294da7689944cef303f5b21
Instruction Fuzzy Hash: AF01EA72814B019FCB30AF6AD880802FBF9FF603053048A3FD19652930C3B0A988CF84

Function 00B5D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B5D752

Part of subcall function 00B529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5D7D1,00000000,00000000,00000000,00000000,?,00B5D7F8,00000000,00000007,00000000,?,00B5DBF5,00000000), ref: 00B529DE
Part of subcall function 00B529C8: GetLastError.KERNEL32(00000000,?,00B5D7D1,00000000,00000000,00000000,00000000,?,00B5D7F8,00000000,00000007,00000000,?,00B5DBF5,00000000,00000000), ref: 00B529F0

_free.LIBCMT ref: 00B5D764
_free.LIBCMT ref: 00B5D776
_free.LIBCMT ref: 00B5D788
_free.LIBCMT ref: 00B5D79A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 80a049a91c520a93c44e882215d1ce9a135ceb20a176dd2b6f291486b422974f
Instruction ID: b004c5b9f7f3927e744e99b73d669f26c26901b1487d54e3ec6f7c9a625c0973
Opcode Fuzzy Hash: 80a049a91c520a93c44e882215d1ce9a135ceb20a176dd2b6f291486b422974f
Instruction Fuzzy Hash: D1F06232501248ABC635EB64F9C1E567FDDFB09312BA409D5F858EB602CB30FC848660

Function 00B85C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B85C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B85C6F
MessageBeep.USER32(00000000), ref: 00B85C87
KillTimer.USER32(?,0000040A), ref: 00B85CA3
EndDialog.USER32(?,00000001), ref: 00B85CBD

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 846e9453681f4a0b92e0014f8262ebe04dbaeefecd04b6945df0bd761edaeef3
Instruction ID: 6191a57d968da15026984b1391824d2fd379570758c806d8a8cc7e27acec6ddf
Opcode Fuzzy Hash: 846e9453681f4a0b92e0014f8262ebe04dbaeefecd04b6945df0bd761edaeef3
Instruction Fuzzy Hash: 06011270500B04ABEB31AB10DD4EFA67BF8FB04B05F041699A583A24E1DBF4A984CF90

Function 00B522A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B522BE

Part of subcall function 00B529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5D7D1,00000000,00000000,00000000,00000000,?,00B5D7F8,00000000,00000007,00000000,?,00B5DBF5,00000000), ref: 00B529DE
Part of subcall function 00B529C8: GetLastError.KERNEL32(00000000,?,00B5D7D1,00000000,00000000,00000000,00000000,?,00B5D7F8,00000000,00000007,00000000,?,00B5DBF5,00000000,00000000), ref: 00B529F0

_free.LIBCMT ref: 00B522D0
_free.LIBCMT ref: 00B522E3
_free.LIBCMT ref: 00B522F4
_free.LIBCMT ref: 00B52305

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d92f90b19afcaee910c96a2324bc7a7bd935596bad337cc799ae9614ace829cf
Instruction ID: c11c73d400358a6a605ff297396d7f4d03b5e3dd148a1cb6cf1309ca96990009
Opcode Fuzzy Hash: d92f90b19afcaee910c96a2324bc7a7bd935596bad337cc799ae9614ace829cf
Instruction Fuzzy Hash: A3F054754121109F8612BF98BC419683FE4F729752B0009D6F810E7372CF314416DFE4

Function 00B395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B395D4
StrokeAndFillPath.GDI32(?,?,00B771F7,00000000,?,?,?), ref: 00B395F0
SelectObject.GDI32(?,00000000), ref: 00B39603
DeleteObject.GDI32 ref: 00B39616
StrokePath.GDI32(?), ref: 00B39631

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 584143de4d725f7c92eefafdcc05e5cd57d8ac0409efa74eff6ade1647e0f4fe
Instruction ID: f4d5ec9842c9e16706a3189db1e73dc04de2edd7488cbe71d879486bcf649298
Opcode Fuzzy Hash: 584143de4d725f7c92eefafdcc05e5cd57d8ac0409efa74eff6ade1647e0f4fe
Instruction Fuzzy Hash: 19F0F630006204EBDB12AF69ED187793FA5EB10322F148A54E865670F1CFF08992DFA0

Function 00B50F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00B510F9
__freea.LIBCMT ref: 00B51117

Part of subcall function 00B51537: _free.LIBCMT ref: 00B5154F

Strings

am/pm, xrefs: 00B5117A
a/p, xrefs: 00B511DE

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 08fd5b049bf185a772d3619a1db1ed58713194cffbc773b2b3da949329e6d751
Instruction ID: b750e6728954accd62b554c9cbf30e29f1c488fc1276b0f0d98ab2f680483c72
Opcode Fuzzy Hash: 08fd5b049bf185a772d3619a1db1ed58713194cffbc773b2b3da949329e6d751
Instruction Fuzzy Hash: 92D10431900246EADB249F6CC8A5BFAB7F0EF05702F1849D9ED01AB650D3759D88CB65

Function 00BA7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00B40242: EnterCriticalSection.KERNEL32(00BF070C,00BF1884,?,?,00B3198B,00BF2518,?,?,?,00B212F9,00000000), ref: 00B4024D
Part of subcall function 00B40242: LeaveCriticalSection.KERNEL32(00BF070C,?,00B3198B,00BF2518,?,?,?,00B212F9,00000000), ref: 00B4028A

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

Part of subcall function 00B400A3: __onexit.LIBCMT ref: 00B400A9

__Init_thread_footer.LIBCMT ref: 00BA7BFB

Part of subcall function 00B401F8: EnterCriticalSection.KERNEL32(00BF070C,?,?,00B38747,00BF2514), ref: 00B40202
Part of subcall function 00B401F8: LeaveCriticalSection.KERNEL32(00BF070C,?,00B38747,00BF2514), ref: 00B40235

Strings

Variable must be of type 'Object'., xrefs: 00BA7C3A
5, xrefs: 00BA7C78
G, xrefs: 00BA7C7F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 229e80364477d0d54d3f53d0504e0e06b81fa4581ce5f644741b4bc381fe756e
Instruction ID: bdf3e823a23ed13c0ee7592dea42882a0b5d731272b14ab868d4e9d01087f22b
Opcode Fuzzy Hash: 229e80364477d0d54d3f53d0504e0e06b81fa4581ce5f644741b4bc381fe756e
Instruction Fuzzy Hash: 6D916A71A4C209AFCB14EF54D8919BDBBF1EF4A300F1080D9F9469B2A2DB71AE45CB51

Function 00B82716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B821D0,?,?,00000034,00000800,?,00000034), ref: 00B8B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B82760

Part of subcall function 00B8B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00B8B3F8

Part of subcall function 00B8B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00B8B355
Part of subcall function 00B8B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B82194,00000034,?,?,00001004,00000000,00000000), ref: 00B8B365
Part of subcall function 00B8B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B82194,00000034,?,?,00001004,00000000,00000000), ref: 00B8B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B827CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B8281A

Strings

@, xrefs: 00B82832

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 770907099746735361cd653805b961d29035344c7509af468b473e010c2daa57
Instruction ID: e193aa1a98864ba96bc68ba0d3c7ce486580195da04f3606bd2111d1092653ce
Opcode Fuzzy Hash: 770907099746735361cd653805b961d29035344c7509af468b473e010c2daa57
Instruction Fuzzy Hash: 8841FA76900218AFDB10EBA4CD46EEEBBB8EF09700F104095FA55B7191DB706E45CBA1

Function 00B5172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00B51769
_free.LIBCMT ref: 00B51834
_free.LIBCMT ref: 00B5183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00B51760, 00B51767, 00B51796, 00B517CE

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 302ed7b2d3bf4f5d23cf70f813a5504dd4b297f8832e722911e92c6e4cd0197f
Instruction ID: ba94808e5cc33934c15ecfd893e2ced4964e753289e2845928eb7863eae76bd5
Opcode Fuzzy Hash: 302ed7b2d3bf4f5d23cf70f813a5504dd4b297f8832e722911e92c6e4cd0197f
Instruction Fuzzy Hash: 993143B5A00218EBDB21DB9D9885FAEBBFCEB89311F1445E6F80497211D6704E48CB90

Function 00B8C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B8C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00B8C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00BF1990,00F866D0), ref: 00B8C395

Strings

0, xrefs: 00B8C2DF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 26877e66c602a7b450c648def943a87fcb7d8598eb22edafc935b0dd040d9408
Instruction ID: bbbc989848c43386a2bd5f7272fd4fc6ff7197a043ba1e0280ecdfeb83867c52
Opcode Fuzzy Hash: 26877e66c602a7b450c648def943a87fcb7d8598eb22edafc935b0dd040d9408
Instruction Fuzzy Hash: 3941B1B12043019FD720EF24D885B5ABFE4EF85310F1086ADF8A5972E2D770E905CB6A

Function 00BB4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00BBCC08,00000000,?,?,?,?), ref: 00BB44AA
GetWindowLongW.USER32 ref: 00BB44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BB44D7

Strings

SysTreeView32, xrefs: 00BB447C

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 9cf751a3039b67e4b1b8c3c4ba72defce6d6cfb32edf66208bbcb39ef02ab57a
Instruction ID: 3c2b6f5a07b8c3b1354fe677810a8ed39f62eef12ce748ef7c25b2c220cdaa14
Opcode Fuzzy Hash: 9cf751a3039b67e4b1b8c3c4ba72defce6d6cfb32edf66208bbcb39ef02ab57a
Instruction Fuzzy Hash: 0C317C31210605AFDB208E38DC45BEA7BE9FB08324F204755F979932E1DBB0EC609760

Function 00BA304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BA335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00BA3077,?,?), ref: 00BA3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00BA307A
_wcslen.LIBCMT ref: 00BA309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00BA3106

Strings

255.255.255.255, xrefs: 00BA3095, 00BA309A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ab99d739402e45895c55d3f53bb687a3e745e8cc91896f8b9f4bee7680b7eda9
Instruction ID: ced7145217aae21674795ad89f9e061418bb4ec0808da6d78d688d8b942a8c4f
Opcode Fuzzy Hash: ab99d739402e45895c55d3f53bb687a3e745e8cc91896f8b9f4bee7680b7eda9
Instruction Fuzzy Hash: 9D31D5352082059FCB20CF68C485F6977E0EF16714F2480D9F8159B392DB72DE45C760

Function 00BB3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BB3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BB3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BB3F78

Strings

SysMonthCal32, xrefs: 00BB3F0B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: e22395766b40dcd19653e522f2c3d3e49651e410eae8d7739abb96a2a8e81661
Instruction ID: 97221c9a8f34830c920a1dc333f67d59acc9a7f86301a7c1b04d39ae795d7c9f
Opcode Fuzzy Hash: e22395766b40dcd19653e522f2c3d3e49651e410eae8d7739abb96a2a8e81661
Instruction Fuzzy Hash: 80219C32650219BBDF21DF94DC86FFA3BB9EB48B14F110254FA156B1D0DAB1E950CBA0

Function 00BB4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00BB4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00BB4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BB471A

Strings

msctls_updown32, xrefs: 00BB4684

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 9cf4eaf42e883b5a87f8af0cbba151f56fb0c675bc2b1e00be9f0eb89b32e16c
Instruction ID: ad51fa075244ff372c183f70ebf97e31a7193074abb584d5bb8281f8f08cf2ba
Opcode Fuzzy Hash: 9cf4eaf42e883b5a87f8af0cbba151f56fb0c675bc2b1e00be9f0eb89b32e16c
Instruction Fuzzy Hash: 832160B5600208AFDB10DF69DCC1DB737EDEB5A394B040499FA019B251CBB1EC11CAA0

Function 00B895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B8961D

Strings

#notrayicon, xrefs: 00B895B7
#OnAutoItStartRegister, xrefs: 00B895F3
#requireadmin, xrefs: 00B895D9

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: dafee5a49bc5b670e087bd40280ffa88406672f2d1861b2f61c93c9b79e6df8a
Instruction ID: ef590337dc2fc6c7a649bf487f54bda6fbd692dabe32a474cba7b3ce1cb5ac6f
Opcode Fuzzy Hash: dafee5a49bc5b670e087bd40280ffa88406672f2d1861b2f61c93c9b79e6df8a
Instruction Fuzzy Hash: F021383224462166CB31BA24DC42FFB73D8DF61700F1840A6F94997061FB91DE41D395

Function 00BB37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BB3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BB3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BB3876

Strings

Listbox, xrefs: 00BB380F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: c3a529e98c5247d4e1229a5b9722bab412d33e06d4c47fc8d6c5d30c814bb658
Instruction ID: 1617cd98d0da38c1caf5e8e0e7b769b69b498d84ee384bcbcf682408f885418a
Opcode Fuzzy Hash: c3a529e98c5247d4e1229a5b9722bab412d33e06d4c47fc8d6c5d30c814bb658
Instruction Fuzzy Hash: 7C218E72610218BBEB218F55DC85EFB3BEEEF89B50F118164F9059B190CAB1DC5287A0

Function 00B949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B94A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B94A5C
SetErrorMode.KERNEL32(00000000,?,?,00BBCC08), ref: 00B94AD0

Strings

%lu, xrefs: 00B94A6F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 5f9f549c6f1b506e6fb6c7c2472cffd4eabff3c6a38c438593b35667998bda0a
Instruction ID: 6023c538794c29598648845a8a1ebfd8222956b48a0c9a7eefbe4b9704865e2e
Opcode Fuzzy Hash: 5f9f549c6f1b506e6fb6c7c2472cffd4eabff3c6a38c438593b35667998bda0a
Instruction Fuzzy Hash: 71315375A00119AFDB10DF54C885EAA7BF8EF48308F1440E5F509EB262DB71ED46CB61

Function 00BB41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BB424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BB4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BB4271

Strings

msctls_trackbar32, xrefs: 00BB4226

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: bb2f66ccdac775136dcf2ae674ca48dd60bf3b40129568129c647a2cb2b9e2a8
Instruction ID: de34caf5b90425ff099d2c7b29fec3aeb8bdbeee99f36649498eaa67eaa5a5a9
Opcode Fuzzy Hash: bb2f66ccdac775136dcf2ae674ca48dd60bf3b40129568129c647a2cb2b9e2a8
Instruction Fuzzy Hash: 5911BF31250248BBEB209E29CC46FFB3BECEF95B54F010514FA55A60A1D6B1D8119B50

Function 00B82F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B26B57: _wcslen.LIBCMT ref: 00B26B6A

Part of subcall function 00B82DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B82DC5
Part of subcall function 00B82DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B82DD6
Part of subcall function 00B82DA7: GetCurrentThreadId.KERNEL32 ref: 00B82DDD
Part of subcall function 00B82DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B82DE4

GetFocus.USER32 ref: 00B82F78

Part of subcall function 00B82DEE: GetParent.USER32(00000000), ref: 00B82DF9

GetClassNameW.USER32(?,?,00000100), ref: 00B82FC3
EnumChildWindows.USER32(?,00B8303B), ref: 00B82FEB

Strings

%s%d, xrefs: 00B82FFF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 1fe4f1c9956c7fdef24afc690fdc3a7a31fead4e21dd275e743c6cf56e7b1947
Instruction ID: 36aa19f9015f9ee46549daa5cd8f8ebddf2665dc4cdcd8266f496ca4711e7992
Opcode Fuzzy Hash: 1fe4f1c9956c7fdef24afc690fdc3a7a31fead4e21dd275e743c6cf56e7b1947
Instruction Fuzzy Hash: FD11A2756002056BDF15BF649C86EED3BEAAF94704F0440B5F90A9B262DE709945CB70

Function 00BB5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BB58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00BB58EE
DrawMenuBar.USER32(?), ref: 00BB58FD

Strings

0, xrefs: 00BB588F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 088d949d5a8fa138d82caeebe6bd7adae4564f5be4d2869bbc2e2869ae20e327
Instruction ID: 22856af188ed18966548cfef6c34225c3e1420f16c992c116d8e232c4a55d565
Opcode Fuzzy Hash: 088d949d5a8fa138d82caeebe6bd7adae4564f5be4d2869bbc2e2869ae20e327
Instruction Fuzzy Hash: 3C010931500219EFDB219F11DC85BEABBB4FB45361F1480EAE889D6251DBB09A949F32

Function 00B7D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00B7D3BF
FreeLibrary.KERNEL32 ref: 00B7D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00B7D3B9
X64, xrefs: 00B7D2A8

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: e49477c4284bd618498cbe2064d29bd800a5d9b0466f4892aca5d0760ffb06bd
Instruction ID: 519ca02abdd1a74b0bdb93ea2177c2696a1167a787c294921f38fcfe817d550a
Opcode Fuzzy Hash: e49477c4284bd618498cbe2064d29bd800a5d9b0466f4892aca5d0760ffb06bd
Instruction Fuzzy Hash: 43F05C218047059BC7745614CCC8A6D37F4EF10781FA2C6C9F03DF20D6EBA0CC41865A

Function 00B8007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780b20f865b42480c59923006df07e097607afffb7a0adc8d16055ac8065ac63
Instruction ID: 90d243a832508869ac74c78a2b392b7ec76517942b6772958a57766801537592
Opcode Fuzzy Hash: 780b20f865b42480c59923006df07e097607afffb7a0adc8d16055ac8065ac63
Instruction Fuzzy Hash: 4DC17B75A1020AEFDB54EFA4C898AAEB7F5FF48354F108598E405EB261C770EE45CB90

Function 00B53E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B53F0B
__alldvrm.LIBCMT ref: 00B5410C
__alldvrm.LIBCMT ref: 00B5412E

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 7e033d6a3821c73666c963d78fed0da14c6f562174248a2cf08d2fd4f5e7eb0a
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 36A146729007869FEB11CF18C8917AEBFE4EF65395F2841EDE9859B281C3388989C750

Function 00BA342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BA3459
CoUninitialize.OLE32 ref: 00BA3463
VariantInit.OLEAUT32(?), ref: 00BA346E
VariantClear.OLEAUT32(?), ref: 00BA371B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 04df062929dbfe9b69e5e37cc5cf5dc81b4998864ab65bdce7da327f665f2bee
Instruction ID: 546025069ef195b73b72722bedb0e49a1d8421e11d890dde4b01c7dacdc7c46c
Opcode Fuzzy Hash: 04df062929dbfe9b69e5e37cc5cf5dc81b4998864ab65bdce7da327f665f2bee
Instruction Fuzzy Hash: 20A15C756183109FC700DF28C595A2AB7E5FF89714F14889DF98AAB362DB30EE05CB91

Function 00B80436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BBFC08,?), ref: 00B805F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BBFC08,?), ref: 00B80608
CLSIDFromProgID.OLE32(?,?,00000000,00BBCC40,000000FF,?,00000000,00000800,00000000,?,00BBFC08,?), ref: 00B8062D
_memcmp.LIBVCRUNTIME ref: 00B8064E

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8ea531007ee02223cf3b611fe8757939f87693f8cdfd6b5e2679a34b592f8db6
Instruction ID: 3048767aa73dd35d10e0673d45fc15e365cc96d43240054da5a3df3c6b19de71
Opcode Fuzzy Hash: 8ea531007ee02223cf3b611fe8757939f87693f8cdfd6b5e2679a34b592f8db6
Instruction Fuzzy Hash: AE812D71A10109EFCB44EF94C984DEEB7F9FF89315F104598E506AB260DB71AE0ACB60

Function 00BAA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BAA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00BAA6BA

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

Process32NextW.KERNEL32(00000000,?), ref: 00BAA79C
CloseHandle.KERNEL32(00000000), ref: 00BAA7AB

Part of subcall function 00B3CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00B63303,?), ref: 00B3CE8A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d44ee8a14d61f5c324adee9e178d4a377bf66a47b3c06719e7cdedf614c3a555
Instruction ID: c4a30767f5ab4bdc1cebdb6b815aa8a83d652234113aabfc602dbc1fc7eec7bb
Opcode Fuzzy Hash: d44ee8a14d61f5c324adee9e178d4a377bf66a47b3c06719e7cdedf614c3a555
Instruction Fuzzy Hash: 8B514D71508310AFD710EF24D886E6BBBE8FF89754F00496DF589A7251EB70D904CBA2

Function 00B61391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B614C0

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7f713ebd9200f42affd2aa70fb3400e21e2ab5d4a004b3c70c194839e241c4d0
Instruction ID: f8ea6aeec60bc055efc842cccab9f72db4c65a04f1b0790f5e1d821e7e9fb893
Opcode Fuzzy Hash: 7f713ebd9200f42affd2aa70fb3400e21e2ab5d4a004b3c70c194839e241c4d0
Instruction Fuzzy Hash: 21413C31A00111ABDB21ABBD8C467BE3BE4EF41370F1C4AE5F819D7391EE7889456A61

Function 00BB6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BB62E2
ScreenToClient.USER32(?,?), ref: 00BB6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00BB6382

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b721f5f74a25db22aa362cc5874b4073eb546fce439c3afa0f5cb177f08a90e1
Instruction ID: 0a800a64b4714d368e2aa5fcda00efcc674b7092b5d5f0fd4b9c9ff511cd544f
Opcode Fuzzy Hash: b721f5f74a25db22aa362cc5874b4073eb546fce439c3afa0f5cb177f08a90e1
Instruction Fuzzy Hash: F6511B74900209EFDB14DF58D8809FE7BF5EB55360F1086A9F91597290DBB4ED41CB90

Function 00BA1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00BA1AFD
WSAGetLastError.WSOCK32 ref: 00BA1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00BA1B8A
WSAGetLastError.WSOCK32 ref: 00BA1B94

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 7ee7e71b8a331edcacdf2148ed84cb0b03818ca3026d757381f8d43bdac57a3a
Instruction ID: c47f5764c77cde42ba5fe5952c80cbd8bfaad14a8a2dfc0977c7a590a9873281
Opcode Fuzzy Hash: 7ee7e71b8a331edcacdf2148ed84cb0b03818ca3026d757381f8d43bdac57a3a
Instruction Fuzzy Hash: 8541B234640210AFE720EF24D886F6977E5EF49718F548488F91A9F7D2DB72DD418B90

Function 00B5B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fdb02bf283e8f951a7e44e4e727eee84584a9be5c42bb0f7816f73af6ebe34
Instruction ID: 22f71daf4c8e7a5a2aa85f86fdc99032c82c1095f1221993482c76454407e74d
Opcode Fuzzy Hash: e1fdb02bf283e8f951a7e44e4e727eee84584a9be5c42bb0f7816f73af6ebe34
Instruction Fuzzy Hash: E4410672A00314AFD7249F38CC41F6ABBE9EB88711F2045EEF951DB382D77199058B80

Function 00B956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B95783
GetLastError.KERNEL32(?,00000000), ref: 00B957A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B957CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B957FA

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b4392bc3ae275442a637f25834fde030f9f5f97608f8ef72e650dc0df1955460
Instruction ID: e4de8423afb4039bde635c101f54998e269c59c72a1f94a6cb4c1f064a54315b
Opcode Fuzzy Hash: b4392bc3ae275442a637f25834fde030f9f5f97608f8ef72e650dc0df1955460
Instruction Fuzzy Hash: 68412D35600610DFCB11EF55D594A5EBBE1EF99320B18C4D8E84A6B362CB34FD00CB95

Function 00B5D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00B46D71,00000000,00000000,00B482D9,?,00B482D9,?,00000001,00B46D71,8BE85006,00000001,00B482D9,00B482D9), ref: 00B5D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B5D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B5D9AB
__freea.LIBCMT ref: 00B5D9B4

Part of subcall function 00B53820: RtlAllocateHeap.NTDLL(00000000,?,00BF1444,?,00B3FDF5,?,?,00B2A976,00000010,00BF1440,00B213FC,?,00B213C6,?,00B21129), ref: 00B53852

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 621ad183bd8b419b5816bc652898808718700570c3e0d12cef09c49cece6f3d2
Instruction ID: cdc30b0820d69ceea78ba2ad2e12e7c3626e3e115bffcccb09d97b61f7824f2b
Opcode Fuzzy Hash: 621ad183bd8b419b5816bc652898808718700570c3e0d12cef09c49cece6f3d2
Instruction Fuzzy Hash: 7431AD72A0020AABDF24DF64DC85EAE7BE5EB41711B0542E8FC04E7251EB35CD58CBA0

Function 00BB52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00BB5352
GetWindowLongW.USER32(?,000000F0), ref: 00BB5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BB5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BB53A8

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 4c3418a6949128e5cbe8b3228ca77df24aef751d88f3731d555c6ca5d07fb3bb
Instruction ID: dd12fd111dc8657996a23184f25db4b8b2936a8930b96859d558291b8fbd97c5
Opcode Fuzzy Hash: 4c3418a6949128e5cbe8b3228ca77df24aef751d88f3731d555c6ca5d07fb3bb
Instruction Fuzzy Hash: B4319E34A55A08EFEB309A14CC56BF877E5EB05390F584182BA12973E1C7F5A980DB4B

Function 00B8AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00B8ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B8AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B8AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00B8ACC6

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 98a8b45af8a5681dc00434ca44f5f9dffe78de61dc17d6589e58b61b0e4ab017
Instruction ID: 38d89b51a71bf1a7895f31494d50a029ca171e9dc6d0557c50427d9f7c956af7
Opcode Fuzzy Hash: 98a8b45af8a5681dc00434ca44f5f9dffe78de61dc17d6589e58b61b0e4ab017
Instruction Fuzzy Hash: 8B310370A00618AFFF24EA698C04BFA7BE5EB89310F08439BE481921E0C3759985CB52

Function 00BB7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00BB769A
GetWindowRect.USER32(?,?), ref: 00BB7710
PtInRect.USER32(?,?,00BB8B89), ref: 00BB7720
MessageBeep.USER32(00000000), ref: 00BB778C

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 27c06ebad4a671a563a574c9f4ae5be584267815b1718c114ed31f6556c76429
Instruction ID: 737c6dce17ed7137b739016154dea226c482063181209f1c78970a45d84447fd
Opcode Fuzzy Hash: 27c06ebad4a671a563a574c9f4ae5be584267815b1718c114ed31f6556c76429
Instruction Fuzzy Hash: 1C416834A49214DFCB12CF5AC894EB97BF4FB88300F1585E8E4259B261CFB0AD42CB90

Function 00BB16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00BB16EB

Part of subcall function 00B83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B83A57
Part of subcall function 00B83A3D: GetCurrentThreadId.KERNEL32 ref: 00B83A5E
Part of subcall function 00B83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B825B3), ref: 00B83A65

GetCaretPos.USER32(?), ref: 00BB16FF
ClientToScreen.USER32(00000000,?), ref: 00BB174C
GetForegroundWindow.USER32 ref: 00BB1752

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 9e1dc3c744508119d88b333589d1fc61c16f7344ba02cf604fbcee3418166aa5
Instruction ID: 3f38048592ff44579ee11fc3e894e5b9b21ca9b99577319da514eff39023a25f
Opcode Fuzzy Hash: 9e1dc3c744508119d88b333589d1fc61c16f7344ba02cf604fbcee3418166aa5
Instruction Fuzzy Hash: 3A3152B1D00159AFC704EFAAD881DEEBBF9EF48304B5080A9E419E7211DB71DE45CBA0

Function 00B8DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00B27620: _wcslen.LIBCMT ref: 00B27625

_wcslen.LIBCMT ref: 00B8DFCB
_wcslen.LIBCMT ref: 00B8DFE2
_wcslen.LIBCMT ref: 00B8E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00B8E018

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: a45771378c4705b392ad2cb19b151d166cd3f732a4813ec229c6c247f735cccd
Instruction ID: c1ab05692c4b54e9e09f59006b306cf9a2f829af7e3db13ce6396e1868c31133
Opcode Fuzzy Hash: a45771378c4705b392ad2cb19b151d166cd3f732a4813ec229c6c247f735cccd
Instruction Fuzzy Hash: 0B21D371900214AFCB21EFA8D882B6EB7F8EF45710F1040E9E904BB295D7709E41DBA1

Function 00BB8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B39BB2

GetCursorPos.USER32(?), ref: 00BB9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B77711,?,?,?,?,?), ref: 00BB9016
GetCursorPos.USER32(?), ref: 00BB905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B77711,?,?,?), ref: 00BB9094

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 19fdf42f10358c7a41d9f74a84a404568839711141f6da80958dbe72b6a2a36b
Instruction ID: 09ef66112ba4ca53210ac65af05e2f48f1dec07b8209f3a833bd81a617de67ba
Opcode Fuzzy Hash: 19fdf42f10358c7a41d9f74a84a404568839711141f6da80958dbe72b6a2a36b
Instruction Fuzzy Hash: 2C21BF31600018EFCB25DF98C898EFA7BF9EB4A350F504595FA0547261C7B19950DB60

Function 00B8D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00BBCB68), ref: 00B8D2FB
GetLastError.KERNEL32 ref: 00B8D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B8D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00BBCB68), ref: 00B8D376

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 45a49062686d8116602e4bc4ca3cfaebe3ea4128cbe4d78409800fa7a275ecf7
Instruction ID: eb8a9d0081d2158573288c2b63a2c18f9f80e5172917d48c3057c8dc17939db4
Opcode Fuzzy Hash: 45a49062686d8116602e4bc4ca3cfaebe3ea4128cbe4d78409800fa7a275ecf7
Instruction Fuzzy Hash: 7C21A1705083019F8710EF28D8818AEBBE4EE5A364F504A9EF499C72F1DB30D945CB97

Function 00B81571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B81014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B8102A
Part of subcall function 00B81014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B81036
Part of subcall function 00B81014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B81045
Part of subcall function 00B81014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B8104C
Part of subcall function 00B81014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B81062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B815BE
_memcmp.LIBVCRUNTIME ref: 00B815E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B81617
HeapFree.KERNEL32(00000000), ref: 00B8161E

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 6c9e6ddc2a2097e1ed3f602e3bc1b1dbd576f8a7c58c0cb04ea69aeccfb9eecb
Instruction ID: d35346c43e2f9eaa54cded30604e3efed2132d619a7e5d0d3af2f72518aa4bed
Opcode Fuzzy Hash: 6c9e6ddc2a2097e1ed3f602e3bc1b1dbd576f8a7c58c0cb04ea69aeccfb9eecb
Instruction Fuzzy Hash: BF217A71E01109EFDB00EFA8C945BEEB7F8FF44344F184899E441AB251E770AA06CBA0

Function 00BB2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00BB280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BB2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BB2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00BB2840

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: f7d676c1f2bc65cc64d9dcae3fca81e90b0d089e84fa060002eeda83e416d73f
Instruction ID: 56006bf40a41a690bf7cfe5fce6bed2ebd7ede583e649e8238da4a4a63f7a8cd
Opcode Fuzzy Hash: f7d676c1f2bc65cc64d9dcae3fca81e90b0d089e84fa060002eeda83e416d73f
Instruction Fuzzy Hash: 0E219031205511AFD714DB24DC55FBA7BD9EF59324F148298F42A8B6A2CBB1FC42C790

Function 00B878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B88D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00B8790A,?,000000FF,?,00B88754,00000000,?,0000001C,?,?), ref: 00B88D8C
Part of subcall function 00B88D7D: lstrcpyW.KERNEL32(00000000,?,?,00B8790A,?,000000FF,?,00B88754,00000000,?,0000001C,?,?,00000000), ref: 00B88DB2
Part of subcall function 00B88D7D: lstrcmpiW.KERNEL32(00000000,?,00B8790A,?,000000FF,?,00B88754,00000000,?,0000001C,?,?), ref: 00B88DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00B88754,00000000,?,0000001C,?,?,00000000), ref: 00B87923
lstrcpyW.KERNEL32(00000000,?,?,00B88754,00000000,?,0000001C,?,?,00000000), ref: 00B87949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00B88754,00000000,?,0000001C,?,?,00000000), ref: 00B87984

Strings

cdecl, xrefs: 00B8797B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: eca81738935f2eff466a0c67913cb2b01ae7044f59b6becf3036bf089dbf3aaf
Instruction ID: 2c5fffd6fcd85edd6971026d53a22041d73e978a1ec43320450142950769a8fd
Opcode Fuzzy Hash: eca81738935f2eff466a0c67913cb2b01ae7044f59b6becf3036bf089dbf3aaf
Instruction Fuzzy Hash: 7E11063A200202BBCB15AF39C844D7A77E9FF45394B60406AF842C7274EF71D801C751

Function 00BB7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00BB7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00BB7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BB7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B9B7AD,00000000), ref: 00BB7D6B

Part of subcall function 00B39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B39BB2

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: fb9bf155ab8110f4206de021bf290dd388c9c5670c63f5ca96a7b214ac1ff1d7
Instruction ID: f0a9b7db330ac859f883a7b532da84ce1dfe35db52f64f800a125c9e7cbff9cf
Opcode Fuzzy Hash: fb9bf155ab8110f4206de021bf290dd388c9c5670c63f5ca96a7b214ac1ff1d7
Instruction Fuzzy Hash: 3C1193715446159FCB109F28CC04AB63BE5EF853A0B258764F835D71F0DBB19951CB50

Function 00BB5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00BB56BB
_wcslen.LIBCMT ref: 00BB56CD
_wcslen.LIBCMT ref: 00BB56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BB5816

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 05e856f3318ff0b364f2822c6b95b59c9e6eb52e22c1f33398eef35164e28644
Instruction ID: 235e1a2d6dde556f665b257f45b46082111c7fbb2265c504709bf8b494d5261d
Opcode Fuzzy Hash: 05e856f3318ff0b364f2822c6b95b59c9e6eb52e22c1f33398eef35164e28644
Instruction Fuzzy Hash: 0311AC71A00618ABDB309F658CC5BFE77ECEB10764B1045A6F91696181EBF09A84CB62

Function 00B51D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171e3c10e83b478d2d38fc728de810ba0a47cc2d3d4a39ceecc3bbe809b5639f
Instruction ID: ded65b62db92d9178788d7feec72aeba57db8156ea63351220dce672d6642040
Opcode Fuzzy Hash: 171e3c10e83b478d2d38fc728de810ba0a47cc2d3d4a39ceecc3bbe809b5639f
Instruction Fuzzy Hash: 700144B22056167EF611267C6CC1F6766ADDF413BAB340BF5FD31612D2DBA09C485170

Function 00B81A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B81A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B81A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B81A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B81A8A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e7a4f17cffe7fafd249abb1739ba5628f80d40ee6c840eaa62383d1b0f913f76
Instruction ID: a725118957b148471bd8a760a5852a510d41526b7c2006e98b01fd6dbbfac3e0
Opcode Fuzzy Hash: e7a4f17cffe7fafd249abb1739ba5628f80d40ee6c840eaa62383d1b0f913f76
Instruction Fuzzy Hash: 0B113C3AD01219FFEB10DFA8CD85FADBBB8EB08750F200491E610B7290D6716E51DB94

Function 00B8E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B8E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00B8E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B8E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B8E24D

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: bd0634692ec6a3874b80d8412735b9091d1ff342ec643c7c0cbf6a942e5eb168
Instruction ID: d14e806a6191ca64caf845f6695891bc72c9859b5437e9bc4d0bcccd8c554055
Opcode Fuzzy Hash: bd0634692ec6a3874b80d8412735b9091d1ff342ec643c7c0cbf6a942e5eb168
Instruction Fuzzy Hash: E911A176904254BBC701EFACDC49AAA7FEDEB45320F1446A5F924E32A1DAB0C904C7A0

Function 00B4D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00B4CFF9,00000000,00000004,00000000), ref: 00B4D218
GetLastError.KERNEL32 ref: 00B4D224
__dosmaperr.LIBCMT ref: 00B4D22B
ResumeThread.KERNEL32(00000000), ref: 00B4D249

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 87f0b599e7421d31a97921e5619706e9fac2c3c989a8e67d33d278456320f798
Instruction ID: 9f9fd4d6b5be9b7a47dbc6985d7e7a80745053db7c8778200d44f8c63ed37554
Opcode Fuzzy Hash: 87f0b599e7421d31a97921e5619706e9fac2c3c989a8e67d33d278456320f798
Instruction Fuzzy Hash: 7601D236805214BBCB119BA5DC09BAE7EE9DF81731F100399F925A31D0CFB0CA05E6A1

Function 00BB9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00B39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B39BB2

GetClientRect.USER32(?,?), ref: 00BB9F31
GetCursorPos.USER32(?), ref: 00BB9F3B
ScreenToClient.USER32(?,?), ref: 00BB9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00BB9F7A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0fe657eea22c463cec20b6b1268b7f89e0e0c259e2aab3c9e81ad7fd2f7aaa5c
Instruction ID: 004d33ce4653b503561b57c6953815d299b3ce4917c7287c138eee2aff5b0d64
Opcode Fuzzy Hash: 0fe657eea22c463cec20b6b1268b7f89e0e0c259e2aab3c9e81ad7fd2f7aaa5c
Instruction Fuzzy Hash: B911183290011AEBDB10DFA8D8859FE7BB9FB46321F504595FA11E3151DBB0BA81CBA1

Function 00B2600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B2604C
GetStockObject.GDI32(00000011), ref: 00B26060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B2606A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 135a8d024c38ae724cd23e663f4ca690a22be02db501f76ae410ffd0ad98f748
Instruction ID: c2225df27a7fb2bbf0d5ab5bf6ed6fcbfb47fb5bdac0266b6916714460d0342b
Opcode Fuzzy Hash: 135a8d024c38ae724cd23e663f4ca690a22be02db501f76ae410ffd0ad98f748
Instruction Fuzzy Hash: A9118E72101518BFEF168FA49C84EEB7FA9EF09354F000241FA0852010CB769C60EBA0

Function 00B43B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00B43B56

Part of subcall function 00B43AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00B43AD2
Part of subcall function 00B43AA3: ___AdjustPointer.LIBCMT ref: 00B43AED

_UnwindNestedFrames.LIBCMT ref: 00B43B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00B43B7C
CallCatchBlock.LIBVCRUNTIME ref: 00B43BA4

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 1629f0f6be5e78c3517a5d08a21ec220dee4b5c4fe388acadeafb5b53ad5c30c
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2A012932100148BBDF126E95CC42EEB7BE9EF48B54F084094FE4896121C732EA61EBA0

Function 00B53073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B213C6,00000000,00000000,?,00B5301A,00B213C6,00000000,00000000,00000000,?,00B5328B,00000006,FlsSetValue), ref: 00B530A5
GetLastError.KERNEL32(?,00B5301A,00B213C6,00000000,00000000,00000000,?,00B5328B,00000006,FlsSetValue,00BC2290,FlsSetValue,00000000,00000364,?,00B52E46), ref: 00B530B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B5301A,00B213C6,00000000,00000000,00000000,?,00B5328B,00000006,FlsSetValue,00BC2290,FlsSetValue,00000000), ref: 00B530BF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d2609cbce9ce86e16a8d0a103a40220112a3820340d457fa94ee7b8db32aad71
Instruction ID: 020931d88bbc62e026281864829d00f1490cd200457ed5db8a995876c5327c41
Opcode Fuzzy Hash: d2609cbce9ce86e16a8d0a103a40220112a3820340d457fa94ee7b8db32aad71
Instruction Fuzzy Hash: A601DD3231132297DB218A789C84B577BD8DF45FE271807A0FD05E7280CB21D905C6E0

Function 00B87464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00B8747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B87497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B874AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00B874CA

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 853a2b7fe6c63f3490d6e3448b1cc7cfb7f339c116965d8dac78c13c53b3ab8c
Instruction ID: 3f09c2c566779f23f15c66d9c0589db72ab362db08a8b027f92eef4fd15b7805
Opcode Fuzzy Hash: 853a2b7fe6c63f3490d6e3448b1cc7cfb7f339c116965d8dac78c13c53b3ab8c
Instruction Fuzzy Hash: BD11A1B12453109BE720DF54EC48F927FFCEB00B18F2485A9A656D7261DBB0EA04DBA0

Function 00B8B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B8ACD3,?,00008000), ref: 00B8B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B8ACD3,?,00008000), ref: 00B8B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B8ACD3,?,00008000), ref: 00B8B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B8ACD3,?,00008000), ref: 00B8B126

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 3e7158b6575a7f008958e3d1b8c318b9b7f36ee2e83bed204d8430f800c500e3
Instruction ID: 93c7156089ffe7413c3f3bb3c0765be2ac730093c6148fce15ba7f980d8f961e
Opcode Fuzzy Hash: 3e7158b6575a7f008958e3d1b8c318b9b7f36ee2e83bed204d8430f800c500e3
Instruction Fuzzy Hash: FD112731C01529E7CF00FFA8E998AEEBFB8FB09711F104186D991B6191CB709650CB51

Function 00BB7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BB7E33
ScreenToClient.USER32(?,?), ref: 00BB7E4B
ScreenToClient.USER32(?,?), ref: 00BB7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BB7E8A

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: dee2a9dd37575b191f3e99fb55d6a25e588ed37a0dbe2d1914ba4cd915e01b71
Instruction ID: 7f8a96f9cc8ec9ee6595154a75a3b3c96018792124819caf3be5b72d5ddd1da6
Opcode Fuzzy Hash: dee2a9dd37575b191f3e99fb55d6a25e588ed37a0dbe2d1914ba4cd915e01b71
Instruction Fuzzy Hash: 1D1156B9D0020AAFDB41CF99C8849EEBBF9FF08310F5051A6E915E3210DB75AA54CF50

Function 00B82DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B82DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B82DD6
GetCurrentThreadId.KERNEL32 ref: 00B82DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B82DE4

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 49f0e542ee83f219b2721b8444a89f036fcbcb8010274cf031075e6c69b64b4e
Instruction ID: e3459110870f271cd8c08ec1b2a30cda1e84e5d222d10852ab7e0e1c20655b5a
Opcode Fuzzy Hash: 49f0e542ee83f219b2721b8444a89f036fcbcb8010274cf031075e6c69b64b4e
Instruction Fuzzy Hash: 7CE06D725012247BD7206B629C0DEEB3FACEB42BA1F100265B906E30909AE0C840C7B0

Function 00BB8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B39639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B39693
Part of subcall function 00B39639: SelectObject.GDI32(?,00000000), ref: 00B396A2
Part of subcall function 00B39639: BeginPath.GDI32(?), ref: 00B396B9
Part of subcall function 00B39639: SelectObject.GDI32(?,00000000), ref: 00B396E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00BB8887
LineTo.GDI32(?,?,?), ref: 00BB8894
EndPath.GDI32(?), ref: 00BB88A4
StrokePath.GDI32(?), ref: 00BB88B2

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 88ff696de2cb1b35fe4ace85d3e09f21e1fe1dbf0b88953ae21eff7bf6f9d63b
Instruction ID: f10df7a89b7e51703b22b10882ddd7db1f11d367a8a25e46d822ebbc16d08416
Opcode Fuzzy Hash: 88ff696de2cb1b35fe4ace85d3e09f21e1fe1dbf0b88953ae21eff7bf6f9d63b
Instruction Fuzzy Hash: 0FF05E36041259FBDB12AF98AC0AFDE3F59AF06310F448140FA11660E2CBF55511CFE5

Function 00B398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B398CC
SetTextColor.GDI32(?,?), ref: 00B398D6
SetBkMode.GDI32(?,00000001), ref: 00B398E9
GetStockObject.GDI32(00000005), ref: 00B398F1

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 9b3f4fb47bf48be543f9809dac943811486afec0475d4b5d6953bc40d55a0560
Instruction ID: 2422308ed270f533675613dd2625f70d99aa60f2311f703fbd8ad36db757a470
Opcode Fuzzy Hash: 9b3f4fb47bf48be543f9809dac943811486afec0475d4b5d6953bc40d55a0560
Instruction Fuzzy Hash: BEE06531244640ABDB219B78AC09BD83F60EB11335F14C359F6F9690E1CBB146409B10

Function 00B8162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00B81634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00B811D9), ref: 00B8163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B811D9), ref: 00B81648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00B811D9), ref: 00B8164F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: f29d16970f65f473a3f6126b7b5013334df6c1868eb49959bc6d2c1eb8566894
Instruction ID: f4af91e05d4e0ff3666b77e994d018bd8fab012d60099aa2073573274e464df4
Opcode Fuzzy Hash: f29d16970f65f473a3f6126b7b5013334df6c1868eb49959bc6d2c1eb8566894
Instruction Fuzzy Hash: 15E08631602211DBD7206FA49D0DB863FBCEF44791F184958F285CA090EAB48441C764

Function 00B7D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B7D858
GetDC.USER32(00000000), ref: 00B7D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B7D882
ReleaseDC.USER32(?), ref: 00B7D8A3

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: daaebd4292bc20b3f057ba06ac9553b1be9d984c111254372a6534dff48af39d
Instruction ID: 53717a5062addf9a18f995475cb73a66dbe3d9b218cd6abadb7ff7ccc1184977
Opcode Fuzzy Hash: daaebd4292bc20b3f057ba06ac9553b1be9d984c111254372a6534dff48af39d
Instruction Fuzzy Hash: A7E01AB4C00204DFCB41EFA4D948A6DBFF1FB48310F208149E80AE7250CB784901EF50

Function 00B7D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B7D86C
GetDC.USER32(00000000), ref: 00B7D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B7D882
ReleaseDC.USER32(?), ref: 00B7D8A3

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f408153da95a8542ce938ebfa45110e8f6d9791c29fc7573f31060bb7325da6f
Instruction ID: a17761e1e83680438f404cd6d803fd02a4e0ea3a1a3a9fba5855ca8803682549
Opcode Fuzzy Hash: f408153da95a8542ce938ebfa45110e8f6d9791c29fc7573f31060bb7325da6f
Instruction Fuzzy Hash: EFE092B5C04204EFCB51EFA4E948A6DBFF5BB48311F248549E94AE7250CBB85905EF50

Function 00B94D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B27620: _wcslen.LIBCMT ref: 00B27625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00B94ED4

Strings

LPT, xrefs: 00B94DFB
*, xrefs: 00B94E10

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 1c63276483707be827f7bdc647205604778cefafa8b26fb66b47f321707747f7
Instruction ID: bbbcf441f89ae64ad8c2c7a0e6ecc8b90b860f3e88b3cf8a985d4c0b98959502
Opcode Fuzzy Hash: 1c63276483707be827f7bdc647205604778cefafa8b26fb66b47f321707747f7
Instruction Fuzzy Hash: 19915E75A002159FCB14DF58C494EAABBF1EF48304F1980E9E80A9F762D771ED86CB91

Function 00B4E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B4E30D

Strings

pow, xrefs: 00B4E2E5, 00B4E302

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: d882dde8ae865c9ae3925ea1b69706102377bc2638c418fc0bdbfdd1ba90f0a3
Instruction ID: 7c08e7eff2cebc551c0ffcf2fe3ae1f17256bacdbb15e5a2f1d0bb2e39c3ae2e
Opcode Fuzzy Hash: d882dde8ae865c9ae3925ea1b69706102377bc2638c418fc0bdbfdd1ba90f0a3
Instruction Fuzzy Hash: 48517061B4C20296DB177B14E9427793BE8FB40742F304DE8E8E5432E9DF31CD99AA46

Function 00B3E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00B3E1B1

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 694e0a9a61ce969c9603b03ebbf5f6e9b15cc505d7307e086bc25b6b3552bb8d
Instruction ID: 297ebc78f411eb354c4fbb70dd62bc798882604f3e2bc62c740191003690fee2
Opcode Fuzzy Hash: 694e0a9a61ce969c9603b03ebbf5f6e9b15cc505d7307e086bc25b6b3552bb8d
Instruction Fuzzy Hash: DB510235504246DFDB19DF68C481ABA7BE8EF19310F2480D6E8B59B2D0DA34DD52CBA1

Function 00B3F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B3F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B3F2BB

Strings

@, xrefs: 00B3F2AF

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 592e50c7a697919d498adacf4860b7054c3616ca2d7b5ecb285049481dc3c3ad
Instruction ID: 3a1effe95ddf1d1158885e3b5f4fc25d18d4667be41b4b238d9dbd732828b115
Opcode Fuzzy Hash: 592e50c7a697919d498adacf4860b7054c3616ca2d7b5ecb285049481dc3c3ad
Instruction Fuzzy Hash: 7A512771408744ABD320AF54EC86BAFBBF8FB84300F81889DF1D942195EF708529CB66

Function 00BA5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00BA57E0
_wcslen.LIBCMT ref: 00BA57EC

Strings

CALLARGARRAY, xrefs: 00BA57E6, 00BA57EB

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: fead0c005deba9c2954abc2c80b07b1ad6dc664e137eb8f2e3d50ad08648b96f
Instruction ID: de7d03f7ad69bf6277544a0f64043f2b742172c94282f9838c3b3080296cc069
Opcode Fuzzy Hash: fead0c005deba9c2954abc2c80b07b1ad6dc664e137eb8f2e3d50ad08648b96f
Instruction Fuzzy Hash: AC41C431E041099FCB14EFA8C8819FEBBF5FF5A310F2440A9E505A7251EB749E81CB90

Function 00B9D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B9D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B9D13A

Strings

|, xrefs: 00B9D10B

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 5e301ffd8b410a8fb2e1c1c73f2f2bfb9b53833328e95d88e4b4089b04eb0073
Instruction ID: 6a01db412db8e6e1046133d54cfbc68121894533aa95654b61fe345dc57878cb
Opcode Fuzzy Hash: 5e301ffd8b410a8fb2e1c1c73f2f2bfb9b53833328e95d88e4b4089b04eb0073
Instruction Fuzzy Hash: B5313C71D01129ABCF15EFA5DC85AEE7FB9FF04300F1000A9F819A6161DB31AA06DB50

Function 00BB356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00BB3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BB365C

Strings

static, xrefs: 00BB35BC

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 06b1a69e9733d5200405da65f55c6d5117dbda487debdf704b92d0eecceca961
Instruction ID: 52f5516fbd31a8362518ea2fde5c4fa409bfaa49edbc38abde9a0b273268a844
Opcode Fuzzy Hash: 06b1a69e9733d5200405da65f55c6d5117dbda487debdf704b92d0eecceca961
Instruction Fuzzy Hash: FE319071110604AFDB24DF28DC80EFB77E9FF58B20F108659F8A697290DA70AD81D760

Function 00BB4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00BB461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BB4634

Strings

', xrefs: 00BB458E

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: afeda0770f09da30bb293631d84084f76adf08f913ca86ee793835e844d7f22d
Instruction ID: dcf299eb2516f72f018d8bf41c94ccf90451a00a8e2564cb131db220bfa5ecbc
Opcode Fuzzy Hash: afeda0770f09da30bb293631d84084f76adf08f913ca86ee793835e844d7f22d
Instruction Fuzzy Hash: DC313874A006199FDF14CFA9C980BEA7BF5FF19300F1044AAE905AB342D7B0A941CF90

Function 00BB31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BB327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BB3287

Strings

Combobox, xrefs: 00BB3249

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 494abe3463061640bcd6b6ffb280783c52ba547de0fab81285e87b1e07d4553b
Instruction ID: ad6b01df84cf32919d5a00b9867b1268ee6278ce260305b35da3eff426247fb7
Opcode Fuzzy Hash: 494abe3463061640bcd6b6ffb280783c52ba547de0fab81285e87b1e07d4553b
Instruction Fuzzy Hash: 7011B2717002087FEF219E94DC81EFB3BEAEB987A4F104668F91897290D6B1DD518760

Function 00BB3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B2600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B2604C
Part of subcall function 00B2600E: GetStockObject.GDI32(00000011), ref: 00B26060
Part of subcall function 00B2600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B2606A

GetWindowRect.USER32(00000000,?), ref: 00BB377A
GetSysColor.USER32(00000012), ref: 00BB3794

Strings

static, xrefs: 00BB3757

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 89d7422bd5844db79dfa8eeb92c0ce3936d39492ec09da0d2946f71318d94637
Instruction ID: 1bd1b523f7f1312d89e201da9e8e7ec59af367c1429b2fa516bcaae3a84f73cc
Opcode Fuzzy Hash: 89d7422bd5844db79dfa8eeb92c0ce3936d39492ec09da0d2946f71318d94637
Instruction Fuzzy Hash: 3D1117B2610209AFDB10DFA8CC46EFA7BF8EB08754F004A54F955E3250EB75E851DB60

Function 00B9CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B9CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B9CDA6

Strings

<local>, xrefs: 00B9CD66

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 90fa03838390d545ed95882d8e9eccff3de5bdc165b5e21c7cab0b61abd6e546
Instruction ID: 4d39175195eb5a055fec7e9b7da823671ddb75d8e71841772997e29e031be5f9
Opcode Fuzzy Hash: 90fa03838390d545ed95882d8e9eccff3de5bdc165b5e21c7cab0b61abd6e546
Instruction Fuzzy Hash: C211C6B12056317ADB344B668C85EE7BEECEF127A4F1042B6B11983090D7709840D6F0

Function 00BB3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00BB34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00BB34BA

Strings

edit, xrefs: 00BB348F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9c32758127eb51bbb36b467b2981f41f9a58f0feac6b57e7fe9cdabcc16300b2
Instruction ID: d76a9f27188672d6c99486bd08662253863d1a1242a510719b2eaa7024f70d55
Opcode Fuzzy Hash: 9c32758127eb51bbb36b467b2981f41f9a58f0feac6b57e7fe9cdabcc16300b2
Instruction Fuzzy Hash: A2119171100108AFEB128E68DC84AFB3BEAEF15B74F504764F965972E0CBB1DC919750

Function 00B86C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

CharUpperBuffW.USER32(?,?,?), ref: 00B86CB6
_wcslen.LIBCMT ref: 00B86CC2

Strings

STOP, xrefs: 00B86CBC, 00B86CC1

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 8ef0b6bb5d32d7712cb9ed815b9eb88e972cd3c63c8741680a73fe50baa55b27
Instruction ID: 9b1d79daf685dd7c4bdfe05184e30758a6a8ca7b20baa71b78975a09bc9b6407
Opcode Fuzzy Hash: 8ef0b6bb5d32d7712cb9ed815b9eb88e972cd3c63c8741680a73fe50baa55b27
Instruction Fuzzy Hash: 4001C032A1052A8BCB21BFBDDC809BF77E5FB61710B1009B8E866971A4EB31D950CB50

Function 00B81CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

Part of subcall function 00B83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B83CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B81D4C

Strings

ListBox, xrefs: 00B81D16
ComboBox, xrefs: 00B81CEB

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 30aa23eab1e75e8922d7a9c20d6deb4becc97bff03dc7505bb58fe3e2b1bfca9
Instruction ID: 655bf816c8964427e13b84b2eeb4557c8dd695df33c8b8eeb3da959c2651010f
Opcode Fuzzy Hash: 30aa23eab1e75e8922d7a9c20d6deb4becc97bff03dc7505bb58fe3e2b1bfca9
Instruction Fuzzy Hash: BE01D875601228ABCB14FFA4DC51DFE77E8FB46750F040AA9F82A672E1EA305909C760

Function 00B81BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

Part of subcall function 00B83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B83CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B81C46

Strings

ListBox, xrefs: 00B81C10
ComboBox, xrefs: 00B81BE5

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d9c5c14781ef3d5c2a43950bcbaff1cabc67bf543bef9571382d48aef8176c02
Instruction ID: 8e2ee8bf504a12f8357a9e52ee751a1f7a5af9ebeff77e58a5ad64c5af5bdf64
Opcode Fuzzy Hash: d9c5c14781ef3d5c2a43950bcbaff1cabc67bf543bef9571382d48aef8176c02
Instruction Fuzzy Hash: 9501F775A81118A7CB14FBA4D951DFF77ECEB11740F140499A40A6B2A1EA209E09CBB1

Function 00B81C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

Part of subcall function 00B83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B83CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B81CC8

Strings

ListBox, xrefs: 00B81C94
ComboBox, xrefs: 00B81C69

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b8ab3c558f2caa7442d4f5658512b950d099a5d7f281616631cfc5f3e283f486
Instruction ID: 5e0e3c1f7a77fe7591d6e2430d5f406517d426137e423e98c41c483d3860a94a
Opcode Fuzzy Hash: b8ab3c558f2caa7442d4f5658512b950d099a5d7f281616631cfc5f3e283f486
Instruction Fuzzy Hash: 0B014EB174111867CB14FBA4DA51EFF73ECDB11740F140495B80A77291EA608F09CB71

Function 00B81D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B29CB3: _wcslen.LIBCMT ref: 00B29CBD

Part of subcall function 00B83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B83CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00B81DD3

Strings

ListBox, xrefs: 00B81DA0
ComboBox, xrefs: 00B81D75

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4e8bc47b91f4abb5cbe0c1ee5284e59c661ac436142f1705ae7ff49ebc5efd75
Instruction ID: 82e909d6c7231b87247b2c7979a3b75e3144d90c88cd8fd01bb364489dbde1f9
Opcode Fuzzy Hash: 4e8bc47b91f4abb5cbe0c1ee5284e59c661ac436142f1705ae7ff49ebc5efd75
Instruction Fuzzy Hash: 07F0A971A5122867D714F7A4DC91FFE77ECEB01750F040DA5B826672E1DA605909C760

Function 00BA747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BA7493
_wcslen.LIBCMT ref: 00BA74B9

Strings

3, 3, 16, 1, xrefs: 00BA7483

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a891eeebcbc81d3a5071860b872ec9d897cba2e016b86c571c36c561b0fa211b
Instruction ID: 65717e9cef473bee9212aadadc48d97b53458afa212c6e1acf76d0c00182b15a
Opcode Fuzzy Hash: a891eeebcbc81d3a5071860b872ec9d897cba2e016b86c571c36c561b0fa211b
Instruction Fuzzy Hash: 2BE02B0225C220149231127A9CC1A7F57CDCFCE75071018ABF981C2366EF948EA2B3A0

Function 00B80B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B80B23

Strings

AutoIt, xrefs: 00B80B17
Error allocating memory., xrefs: 00B80B1C

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: e7b921e0887d49f87a3966bfa39c3bdb96aa35b9baef0748a8afde846ea68e7b
Instruction ID: ed71b92461de46de11c02b6daae76c90fd7811db1a70d55caf4d27f2ad44022a
Opcode Fuzzy Hash: e7b921e0887d49f87a3966bfa39c3bdb96aa35b9baef0748a8afde846ea68e7b
Instruction Fuzzy Hash: 11E0D8322843182BD2147A957C03FD97FC4CF05B50F2004E6FB88554D38FE1685046E9

Function 00B40D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B3F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B40D71,?,?,?,00B2100A), ref: 00B3F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00B2100A), ref: 00B40D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B2100A), ref: 00B40D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B40D7F

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 500030b07a8e301486526886942c4fb99723154715d0928d883bb9208e228e13
Instruction ID: 252017aa793e8a5a480fb3fb7e1e17bea1358f9c14595fa97c8fc290cd350f38
Opcode Fuzzy Hash: 500030b07a8e301486526886942c4fb99723154715d0928d883bb9208e228e13
Instruction Fuzzy Hash: E1E06D706003128BD720AFBCE8047627BE0AF04740F008ABDE986C7651DBF5E5488BA1

Function 00B93017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00B9302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00B93044

Strings

aut, xrefs: 00B93038

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 995e32d44b53364fbc97b3234dea766e015abf7554476ae8c0584cadb4c6ce8f
Instruction ID: 0ef7d97136dfc1173d2c892fe33e4d23bd8be594aef39a4852c02868e397be00
Opcode Fuzzy Hash: 995e32d44b53364fbc97b3234dea766e015abf7554476ae8c0584cadb4c6ce8f
Instruction Fuzzy Hash: 6AD05E7290032867DA20E7A5AC0EFCB3F6CDB04750F0002A1B755E30A1DEF09984CBE0

Function 00B7D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B7D220

Strings

%.3d, xrefs: 00B7D22B
X64, xrefs: 00B7D2A8

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: f952d72a779f1e86ffc6118731ab5e79e4c7e0d628e88c4041cfa2b9957f8e3a
Instruction ID: 265d49197d017060c35d314c78bb2948b0943d7ce43eff90b0b4d36bf48d49cd
Opcode Fuzzy Hash: f952d72a779f1e86ffc6118731ab5e79e4c7e0d628e88c4041cfa2b9957f8e3a
Instruction Fuzzy Hash: 83D012A1C08109EACB9097D0DCC59B9B3FCEF08381F60C4D2F91AA2041EA24C90A6B61

Function 00BB2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BB232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00BB233F

Part of subcall function 00B8E97B: Sleep.KERNEL32 ref: 00B8E9F3

Strings

Shell_TrayWnd, xrefs: 00BB2325

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8d9c7220d5a42b48d12cb8d56b398c9bb5017520ab81cdce8bf611ae3153d1da
Instruction ID: 1883f396df15217a73b716816337a5240921d5a6202b0efcad16ac7081fd1c5c
Opcode Fuzzy Hash: 8d9c7220d5a42b48d12cb8d56b398c9bb5017520ab81cdce8bf611ae3153d1da
Instruction Fuzzy Hash: 02D0A932380300B7E264B7309C0FFD66A44AB10B00F000A02B686AB0E0CAF0A800CA00

Function 00BB2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BB236C
PostMessageW.USER32(00000000), ref: 00BB2373

Part of subcall function 00B8E97B: Sleep.KERNEL32 ref: 00B8E9F3

Strings

Shell_TrayWnd, xrefs: 00BB2365

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: bcf90257046fb33354b9f9830d663491818dee11a8136ec147186dbb7a9aaeb0
Instruction ID: f497a344ebbaacb8b3d6781d45d946c79ae7dad888b76c1f7174340e3487906b
Opcode Fuzzy Hash: bcf90257046fb33354b9f9830d663491818dee11a8136ec147186dbb7a9aaeb0
Instruction Fuzzy Hash: EDD0C9323C1350BBE664B7719C0FFD66A54AB14B11F404A56B696AB1E0DAF0A841CA54

Function 00B5BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00B5BE93
GetLastError.KERNEL32 ref: 00B5BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B5BEFC

Memory Dump Source

Source File: 00000000.00000002.1726293117.0000000000B21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B20000, based on PE: true

Associated: 00000000.00000002.1726250140.0000000000B20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BBC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726513874.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726591831.0000000000BEC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1726627682.0000000000BF4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b20000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 0ee5b9ad0b15c53db3cf5030bd7ea19752b186227f57be63e7ef0f1a94b2712c
Instruction ID: 1622b79b35cd2d1cb848e3b37e3dcb0c775f87fa9b96d9f78aa7d789d303c9be
Opcode Fuzzy Hash: 0ee5b9ad0b15c53db3cf5030bd7ea19752b186227f57be63e7ef0f1a94b2712c
Instruction Fuzzy Hash: D841B135600216ABCB218F65CC85FBABBE5EF41312F1441E9FD59A71A1DB308D09DB60

Analysis Process: firefox.exePID: 7488, Parent PID: 6044COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000027EF10F4B77 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000027EF10F4B9C

Memory Dump Source

Source File: 00000010.00000002.3523230814.0000027EF10F2000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000027EF10F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_27ef10f2000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a10a38f4afd427e97fdf239b8bc171b99ad3ba19659c2c00eb60168167a069fa
Instruction ID: ffe1cc96b0315ba183109e1595c34e9d5178d8111dc8e8c1d0d4f92c62265d45
Opcode Fuzzy Hash: a10a38f4afd427e97fdf239b8bc171b99ad3ba19659c2c00eb60168167a069fa
Instruction Fuzzy Hash: 6AA3F731618A4C8BDB2DDF28DC867AA73D5FB59304F15426ED94BC3651DF30EA428B82

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1900075448.000024B69CA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $https://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1900075448.000024B69CA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1900075448.000024B69CA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1900075448.000024B69CA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1899792376.00003ADF63A03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1899792376.00003ADF63A03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1912204055.000001BF99935000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895399959.000001BF99935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1877115360.000001BF99F04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911990688.000001BF99F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1886009555.000001BF9687C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884394486.000001BF97A1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907659973.000001BF9687C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1886009555.000001BF9687C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908185969.000001BF96788000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896364020.000001BF96788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1912204055.000001BF99935000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892208098.000001BF8FBAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895399959.000001BF99935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1877115360.000001BF99F10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877115360.000001BF99F04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911990688.000001BF99F10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1899792376.00003ADF63A03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: F<www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1886009555.000001BF9687C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884394486.000001BF97A1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900075448.000024B69CA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1886009555.000001BF9687C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900075448.000024B69CA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908185969.000001BF96788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3524098043.0000027EF130A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3523104595.000002860EC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3524098043.0000027EF130A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3523104595.000002860EC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3524098043.0000027EF130A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3523104595.000002860EC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1878210444.000001BF99CFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906393417.000001BF99CFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895263577.000001BF99CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1895399959.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912204055.000001BF99935000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1892208098.000001BF8FBAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1899792376.00003ADF63A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900075448.000024B69CA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1877115360.000001BF99F10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877115360.000001BF99F04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911990688.000001BF99F10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1895399959.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920703009.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906765202.000001BF999CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1900075448.000024B69CA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49797 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1b91648b-0771-4a99-b9b2-056bc8087362.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_1b91648b-0771-4a99-b9b2-056bc8087362.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7NIEWICM7F2IBVLF3C51.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FW7TA428R65O9ZNLNOZI.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre