Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561602
MD5:	369171ab2e220e54f6822ef6c36fe248
SHA1:	7c99d97ff7ed3c2386a96ed83ecf93fd54486709
SHA256:	b9a0ed323b9c0e231a7fdffb9156da895613c4c6650564183bb19e0c507525eb
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 369171AB2E220E54F6822EF6C36FE248)

taskkill.exe (PID: 7548 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7648 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7704 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7768 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7832 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7888 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7924 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7940 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8184 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88431419-431f-449e-bac4-71b5cf1fdcda} 7940 "\\.\pipe\gecko-crash-server-pipe.7940" 2ca2cf6eb10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7820 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -parentBuildID 20230927232528 -prefsHandle 876 -prefMapHandle 1040 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c29d4d0f-f96b-4cd9-b96a-0f109be8bb1f} 7940 "\\.\pipe\gecko-crash-server-pipe.7940" 2ca3f0f6010 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7784 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5424 -prefMapHandle 5432 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72d13148-600e-45f3-99e5-72b76429e2d6} 7940 "\\.\pipe\gecko-crash-server-pipe.7940" 2ca484bb110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7532	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0083EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0083EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0083ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0083ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0083EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0082AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0082AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00859576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00859576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1668845108.0000000000882000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_52944ba0-8
Source: file.exe, 00000000.00000000.1668845108.0000000000882000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1afe9556-d
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f7e987c4-6
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e2aaec36-d

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000193A5A22377 NtQuerySystemInformation,		16_2_00000193A5A22377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000193A5A480B2 NtQuerySystemInformation,		16_2_00000193A5A480B2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0082D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0082D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00821201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00821201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0082E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0082E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C8060	0_2_007C8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00832046	0_2_00832046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00828298	0_2_00828298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FE4FF	0_2_007FE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F676B	0_2_007F676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00854873	0_2_00854873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CCAF0	0_2_007CCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007ECAA0	0_2_007ECAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DCC39	0_2_007DCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F6DD9	0_2_007F6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DB119	0_2_007DB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C91C0	0_2_007C91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E1394	0_2_007E1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E1706	0_2_007E1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E781B	0_2_007E781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D997D	0_2_007D997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C7920	0_2_007C7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E19B0	0_2_007E19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E7A4A	0_2_007E7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E1C77	0_2_007E1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E7CA7	0_2_007E7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F9EEE	0_2_007F9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084BE44	0_2_0084BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E1F32	0_2_007E1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000193A5A22377	16_2_00000193A5A22377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000193A5A480B2	16_2_00000193A5A480B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000193A5A487DC	16_2_00000193A5A487DC
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000193A5A480F2	16_2_00000193A5A480F2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007DF9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007E0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/39@69/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008337B5 GetLastError,FormatMessageW,

0_2_008337B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008210BF AdjustTokenPrivileges,CloseHandle,		0_2_008210BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008216C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008351CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0082D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0082D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0083648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0083648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007C42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1918449149.000002CA4762B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1918449149.000002CA4762B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1918449149.000002CA4762B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1775134754.000002CA3E648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT ALL id FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;
Source: firefox.exe, 0000000D.00000003.1918449149.000002CA4762B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1918449149.000002CA4762B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1918449149.000002CA4762B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1918449149.000002CA4762B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1918449149.000002CA4762B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1918449149.000002CA4762B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88431419-431f-449e-bac4-71b5cf1fdcda} 7940 "\\.\pipe\gecko-crash-server-pipe.7940" 2ca2cf6eb10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -parentBuildID 20230927232528 -prefsHandle 876 -prefMapHandle 1040 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c29d4d0f-f96b-4cd9-b96a-0f109be8bb1f} 7940 "\\.\pipe\gecko-crash-server-pipe.7940" 2ca3f0f6010 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5424 -prefMapHandle 5432 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72d13148-600e-45f3-99e5-72b76429e2d6} 7940 "\\.\pipe\gecko-crash-server-pipe.7940" 2ca484bb110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88431419-431f-449e-bac4-71b5cf1fdcda} 7940 "\\.\pipe\gecko-crash-server-pipe.7940" 2ca2cf6eb10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -parentBuildID 20230927232528 -prefsHandle 876 -prefMapHandle 1040 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c29d4d0f-f96b-4cd9-b96a-0f109be8bb1f} 7940 "\\.\pipe\gecko-crash-server-pipe.7940" 2ca3f0f6010 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5424 -prefMapHandle 5432 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72d13148-600e-45f3-99e5-72b76429e2d6} 7940 "\\.\pipe\gecko-crash-server-pipe.7940" 2ca484bb110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1901720953.000002CA3A42D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1892409069.000002CA3A427000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1901720953.000002CA3A42D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1900531749.000002CA3A427000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1892409069.000002CA3A427000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000D.00000003.1895173201.000002CA481C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1898671545.000002CA41301000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1900531749.000002CA3A427000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1898671545.000002CA41301000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007C42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E0A76 push ecx; ret

0_2_007E0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_007DF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00851C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00851C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94391

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_00000193A5A22377 rdtsc

16_2_00000193A5A22377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0082DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008368EE FindFirstFileW,FindClose,	0_2_008368EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0083698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0082D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0082D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00839642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00839642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0083979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00839B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00839B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00835C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00835C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007C42DE

Source: firefox.exe, 00000012.00000002.3529038733.000002472E1FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP'%.G
Source: firefox.exe, 0000000F.00000002.3530101845.000001490568A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3533899058.00000193A5FB0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3527478329.00000193A55CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3534035386.000001490591A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.3529568782.000002472E250000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*4
Source: firefox.exe, 0000000F.00000002.3534620588.0000014905A08000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3533899058.00000193A5FB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000010.00000002.3533899058.00000193A5FB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC
Source: firefox.exe, 0000000F.00000002.3530101845.000001490568A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWD<!

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_00000193A5A22377 rdtsc

16_2_00000193A5A22377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0083EAA2 BlockInput,

0_2_0083EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_007F2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007C42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E4CE8 mov eax, dword ptr fs:[00000030h]

0_2_007E4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00820B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00820B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007F2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007E083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E09D5 SetUnhandledExceptionFilter,	0_2_007E09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_007E0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00821201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00802BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00802BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0082B226 SendInput,keybd_event,

0_2_0082B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008422DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00820B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00821663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00821663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007E0698 cpuid

0_2_007E0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00838195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00838195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0081D27A GetUserNameW,

0_2_0081D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007FBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_007FBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007C42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7532, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7532, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00841204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00841204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00841806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00841806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	34%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.65.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.19.206	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.193.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1756786609.000002CA3D9D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848565465.000002CA405A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895701287.000002CA405A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754116295.000002CA405CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910904909.000002CA405A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3529570379.00000193A59C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3530363701.000002472E6C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1935596817.000002CA3E521000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3530905648.00000149058C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3529570379.00000193A59E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3533390120.000002472E703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1757882259.000002CA44D4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757180155.000002CA44D4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757283793.000002CA44D47000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3529570379.00000193A5986000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3530363701.000002472E68F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1928270742.000002CA403E3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1713557786.000002CA3CD40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713374305.000002CA3CD21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713712263.000002CA3CD60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713185124.000002CA3CB00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713868455.000002CA3CD7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1922495205.000002CA3E6F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1776020241.000002CA3E5A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1756189447.000002CA3E6F1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1756786609.000002CA3D9D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713557786.000002CA3CD40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908820744.000002CA480F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863631921.000002CA480F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713374305.000002CA3CD21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850059495.000002CA3F4E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713712263.000002CA3CD60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713185124.000002CA3CB00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832817476.000002CA3F4E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713868455.000002CA3CD7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000D.00000003.1896076068.000002CA401D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911751401.000002CA401D8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1713557786.000002CA3CD40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713374305.000002CA3CD21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713712263.000002CA3CD60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713185124.000002CA3CB00000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000D.00000003.1927565405.000002CA40B83000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3530905648.00000149058C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3529570379.00000193A59E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3533390120.000002472E703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1908496991.000002CA48432000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1844728584.000002CA48C3D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3530905648.00000149058C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3529570379.00000193A59E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3533390120.000002472E703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000D.00000003.1922835900.000002CA3E68F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775134754.000002CA3E68F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1756189447.000002CA3E68F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1862624781.000002CA487A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911515336.000002CA4055E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3529570379.00000193A5903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3530363701.000002472E60C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1895173201.000002CA481AE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1846925069.000002CA44C8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895701287.000002CA405A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754116295.000002CA405CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910904909.000002CA405A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3529570379.00000193A59C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3530363701.000002472E6C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1922007972.000002CA3EE6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1823859690.000002CA44EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823093021.000002CA45505000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1835470866.000002CA3E4E5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1906902521.000002CA48CE4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1776020241.000002CA3E5A0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1929101473.000002CA3FF3F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://crl3.digice	firefox.exe, 0000000D.00000003.1901955606.000002CA3A3F8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899443487.000002CA3A3F8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893849436.000002CA3A3F8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888545291.000002CA3A3F7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891528051.000002CA3A3F8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889701712.000002CA3A3F8000.00000004.00000020.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000010.00000002.3529570379.00000193A595F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3529570379.00000193A5912000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3530363701.000002472E613000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1845348631.000002CA48C1C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1823093021.000002CA45505000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1754116295.000002CA4056A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828166735.000002CA3F5BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788781232.000002CA3E4E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834279193.000002CA3E46C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1847862981.000002CA44C2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828166735.000002CA3F535000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754116295.000002CA40562000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1896803316.000002CA40198000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912833888.000002CA40142000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930911256.000002CA3F631000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1848904071.000002CA4056D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932768683.000002CA3F0D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1782541393.000002CA455CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1871775037.000002CA3E41A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932947106.000002CA3F05E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754116295.000002CA40572000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757283793.000002CA44D8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1836908016.000002CA3E4DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1865629815.000002CA3F53A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1856503322.000002CA3D5E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788781232.000002CA3E414000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1896076068.000002CA401D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911751401.000002CA401D8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1896076068.000002CA401D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911751401.000002CA401BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911751401.000002CA401D8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1922835900.000002CA3E68F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846925069.000002CA44C7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775134754.000002CA3E68F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1756189447.000002CA3E68F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928818150.000002CA3FF9F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1922835900.000002CA3E68F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846925069.000002CA44C7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775134754.000002CA3E68F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1756189447.000002CA3E68F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928818150.000002CA3FF9F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1757882259.000002CA44D4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757283793.000002CA44D47000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1852025884.000002CA3C831000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861491246.000002CA3C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1716904932.000002CA3C833000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1823093021.000002CA45505000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1933920290.000002CA3E5B0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1896076068.000002CA401D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911751401.000002CA401D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1920043083.000002CA401E6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1790684342.000002CA3D67C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823093021.000002CA45505000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1790684342.000002CA3D686000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1852025884.000002CA3C831000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861491246.000002CA3C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1716904932.000002CA3C833000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1895173201.000002CA481AE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3530905648.00000149058C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3529570379.00000193A59E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3533390120.000002472E703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1846925069.000002CA44C8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909502136.000002CA44CEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846925069.000002CA44CEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918777321.000002CA44CEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1713868455.000002CA3CD7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000D.00000003.1713557786.000002CA3CD40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713374305.000002CA3CD21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1850059495.000002CA3F4E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713712263.000002CA3CD60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846925069.000002CA44C8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713185124.000002CA3CB00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1832817476.000002CA3F4E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1713868455.000002CA3CD7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.wykop.pl/	firefox.exe, 0000000D.00000003.1927837489.000002CA4055E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911515336.000002CA4055E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://twitter.com/	firefox.exe, 0000000D.00000003.1844728584.000002CA48C3D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.olx.pl/	firefox.exe, 0000000D.00000003.1927837489.000002CA4055E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911515336.000002CA4055E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1790684342.000002CA3D67C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/	firefox.exe, 0000000D.00000003.1845348631.000002CA48C1C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 0000000D.00000003.1852025884.000002CA3C831000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861491246.000002CA3C833000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1716904932.000002CA3C833000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/complete/search	firefox.exe, 0000000D.00000003.1757283793.000002CA44D47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758878391.000002CA3DA38000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.com/firefox/new_tab_learn_more/	firefox.exe, 0000000D.00000003.1909502136.000002CA44C92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846925069.000002CA44C8B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	firefox.exe, 0000000F.00000002.3530905648.00000149058C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3529570379.00000193A59E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3533390120.000002472E703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://github.com/google/closure-compiler/issues/3177	firefox.exe, 0000000D.00000003.1757882259.000002CA44D4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757180155.000002CA44D4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757283793.000002CA44D47000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.com/recommendations	firefox.exe, 0000000D.00000003.1756786609.000002CA3D9D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3529570379.00000193A59C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3530363701.000002472E6C4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts	firefox.exe, 0000000D.00000003.1757450821.000002CA44D39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757952861.000002CA44D32000.00000004.00000800.00020000.00000000.sdmp	false	high
https://lit.dev/docs/templates/directives/#stylemap	firefox.exe, 0000000D.00000003.1757882259.000002CA44D4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757283793.000002CA44D47000.00000004.00000800.00020000.00000000.sdmp	false	high
https://push.services.mozilla.com	firefox.exe, 0000000D.00000003.1844728584.000002CA48CA8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://webextensions.settings.services.mozilla.com/v1	firefox.exe, 0000000F.00000002.3530447895.00000149056C0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3528859201.00000193A57A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3529699174.000002472E350000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561602
Start date and time:	2024-11-23 22:05:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/39@69/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 311
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.80.238.59, 35.164.125.63, 52.12.64.98, 172.217.17.42, 172.217.17.74, 172.217.17.78, 88.221.134.209, 88.221.134.155
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
example.org	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Cryptbot	Browse	34.116.198.130
	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	https://elizgallery.com/nazvanie.js	Get hash	malicious	Unknown	Browse	34.117.77.79
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	ZOL2mIYAUH.exe	Get hash	malicious	Phemedrone Stealer, PureLog Stealer, XWorm, zgRAT	Browse	185.199.109.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	https://www.google.co.kr/url?url=https://hrtyuytitwagtxswxzqxpcm&jtdm=hjstxxb&qhwocq=elw&vrszx=mrursi&rtz=qksmlok&sdyxm=kxlpun&hnkj=iujyvng&vochgqf=ylsd&pkhfd=vyifcj&nymdhak=ffn&ylzv=xpddvxaj&zoadnebgoj=rccejsmuqd&q=amp/hmf1bnz.s%C2%ADlf%C2%ADpg%C2%ADq%C2%ADq%C2%ADwzu%C2%ADx%C2%ADppns%C2%ADc%C2%ADs%C2%AD.com%E2%80%8B/n7brnx1iy&lbgq=ihcrvpx&isffrcc=xjcvvbbd&hokv=buitobfj&nfzezydbgm=lhtjhglyxx&pjwu=tdsgcse&cesnzrb=ekoykarj&ifpv=yabmwecd&acyeqkflup=bacwibnnwl&dovx=vqvcdxk&rwbvdtj=khlezois&efgx=ktfpexjt&iqggbgjmwh=cvqmvfdelx&gqsh=ghsdgye&hipceti=hpqeesqk&hkvbucxuvo=drwoirzwsq&dril=qbpemxo&xziwtam=tdvywqlj&nndiwyldry=kjqbehmdbj&kqef=faiqetj&peigggc=vbyfdxky&fstmbbtmkx=rjxugltfmc&rpws=borxqez&rijvxqj=ntedqhtd&wohxxxgtmq=jpiozpkrbp&cxah=gcmtksp&tzidqah=syxnwioo&szzishkfke=xmnmodwwoc&xmif=xdxtrqz&ajzcojq=fmtqkshw&gkmh=vmwdknp&xvlhpuf=zkhqqziq&rvfh=igbqint&gdnzlky=hyzlhjke&dqkq=ophpttl&yoamsuz=cuykisoc&frzr=lajcnwi&chdmjpw=hymhkhbw&wnxy=zwkomqb&duxkrfq=asjrwcgu&fzya=hrpcnke&hxrusxm=foudbois&yqgm=uhfvxoo&uynyplq=iryzkatx&qfzs=stmleud&vkbxzkf=hxgbjzit&dnro=vjxntck&kfrldgj=vpyfihbn&nsko=sdzidzb&unudtuz=mnvrwokv&lisf=zxdfari&tdyzrah=otrtzuun&rfza=trokalr&vkfduyc=wpwvnxpe&jjsq=pgkbofh&uatnbjp=gtwiypfq&zilu=kagobvs&jqfufkw=bckrzetp&tjng=jgmmmod&fvdtpsk=vlyzfjep&mgoi=fklhysh&llyljdv=jxpogtdn&gcjv=vjlzkuf&erlhvti=peuprtov&kbxk=jviffkg&lklbxhl=uhzpnzfw&upaw=gfmiehp&ismxijp=hmwbsmgj&zdkc=kodikna&njllvzf=oodglyrw&urdk=cktezyn&vmqhwgh=kqcbhffu&riqy=tlnbqzr&nmlgrkn=inyeynzg&vebu=pwpghzr&ckpmyoc=tmeufjen&otic=svrqsdo&tbwzub	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
ATGS-MMD-ASUS	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	2fQ8fpTWAP.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_e2e6f87c-8106-4e54-89f8-914cd0653fbb.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.178120189100465
Encrypted:	false
SSDEEP:	192:vjMidpqcbhbVbTbfbRbObtbyEl7ngrGJA6WnSrDtTUd/SkDrh:vYrcNhnzFSJArFBnSrDhUd/f
MD5:	86BE3875235C87524BF566A8CFA560AB
SHA1:	C29AA806043D61FDEF3462D5BC5F4DED0AF94D22
SHA-256:	EC0EA0689F9DE69E650A4B2C74C867A1FF8DB6181EBF7105F3A6A78E9C228F6C
SHA-512:	FF8CDDE4B21D3DFA883EAA3879F929CA38C0B61A6B842AD4DA1B538EBABE38C6416FECCEABA2B32223C06DE9FF9FC0A5908E842A72E73AE8DE0596B285A2C017
Malicious:	false
Preview:	{"type":"uninstall","id":"e2e6f87c-8106-4e54-89f8-914cd0653fbb","creationDate":"2024-11-23T22:31:56.366Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_e2e6f87c-8106-4e54-89f8-914cd0653fbb.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.178120189100465
Encrypted:	false
SSDEEP:	192:vjMidpqcbhbVbTbfbRbObtbyEl7ngrGJA6WnSrDtTUd/SkDrh:vYrcNhnzFSJArFBnSrDhUd/f
MD5:	86BE3875235C87524BF566A8CFA560AB
SHA1:	C29AA806043D61FDEF3462D5BC5F4DED0AF94D22
SHA-256:	EC0EA0689F9DE69E650A4B2C74C867A1FF8DB6181EBF7105F3A6A78E9C228F6C
SHA-512:	FF8CDDE4B21D3DFA883EAA3879F929CA38C0B61A6B842AD4DA1B538EBABE38C6416FECCEABA2B32223C06DE9FF9FC0A5908E842A72E73AE8DE0596B285A2C017
Malicious:	false
Preview:	{"type":"uninstall","id":"e2e6f87c-8106-4e54-89f8-914cd0653fbb","creationDate":"2024-11-23T22:31:56.366Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3173125183974004
Encrypted:	false
SSDEEP:	48:edpTkyUgdwwz8dpTkS6BdwI6dpTkSadwq1:7zc
MD5:	A9ED457569B5797C26026DFCB897B81B
SHA1:	7446683110D0D2FFAB541D9113C761E85553DD23
SHA-256:	9991B2EF56A31CF6DAB35EC2AC0CD588F722313BCEAECC441A10DD8C9F9B5480
SHA-512:	55715C52F620673E2C2B38EA15E715108761AB9672CCFCA73967344D1B0CD0E42A4F433B57F601AC3F7D6BE4FE92AEA2F565A1E24203075437E34696C396AD40
Malicious:	false
Preview:	...................................FL..................F.@.. ...p......."7..=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IwY.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwY.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwY...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............}.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3173125183974004
Encrypted:	false
SSDEEP:	48:edpTkyUgdwwz8dpTkS6BdwI6dpTkSadwq1:7zc
MD5:	A9ED457569B5797C26026DFCB897B81B
SHA1:	7446683110D0D2FFAB541D9113C761E85553DD23
SHA-256:	9991B2EF56A31CF6DAB35EC2AC0CD588F722313BCEAECC441A10DD8C9F9B5480
SHA-512:	55715C52F620673E2C2B38EA15E715108761AB9672CCFCA73967344D1B0CD0E42A4F433B57F601AC3F7D6BE4FE92AEA2F565A1E24203075437E34696C396AD40
Malicious:	false
Preview:	...................................FL..................F.@.. ...p......."7..=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IwY.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwY.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwY...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............}.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BL8R07ZCWCRZBXTB55X5.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3173125183974004
Encrypted:	false
SSDEEP:	48:edpTkyUgdwwz8dpTkS6BdwI6dpTkSadwq1:7zc
MD5:	A9ED457569B5797C26026DFCB897B81B
SHA1:	7446683110D0D2FFAB541D9113C761E85553DD23
SHA-256:	9991B2EF56A31CF6DAB35EC2AC0CD588F722313BCEAECC441A10DD8C9F9B5480
SHA-512:	55715C52F620673E2C2B38EA15E715108761AB9672CCFCA73967344D1B0CD0E42A4F433B57F601AC3F7D6BE4FE92AEA2F565A1E24203075437E34696C396AD40
Malicious:	false
Preview:	...................................FL..................F.@.. ...p......."7..=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IwY.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwY.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwY...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............}.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SFF5UO3UKOK0M4S8WU53.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3173125183974004
Encrypted:	false
SSDEEP:	48:edpTkyUgdwwz8dpTkS6BdwI6dpTkSadwq1:7zc
MD5:	A9ED457569B5797C26026DFCB897B81B
SHA1:	7446683110D0D2FFAB541D9113C761E85553DD23
SHA-256:	9991B2EF56A31CF6DAB35EC2AC0CD588F722313BCEAECC441A10DD8C9F9B5480
SHA-512:	55715C52F620673E2C2B38EA15E715108761AB9672CCFCA73967344D1B0CD0E42A4F433B57F601AC3F7D6BE4FE92AEA2F565A1E24203075437E34696C396AD40
Malicious:	false
Preview:	...................................FL..................F.@.. ...p......."7..=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IwY.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwY.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwY...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z..............}.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.924030138642164
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLgnh8P:8S+OBIUjOdwiOdYVjjwLgh8P
MD5:	0B2E20423637155340D99AA2A381B3DE
SHA1:	5A5B27666F55CF17884A79F6098E6A00789F08A3
SHA-256:	E57FA8C696694018BA5661F10569287D752905DAB7E0EE66692790D0D81021FC
SHA-512:	CDE96F21C09C91B349A57B1EB1256D0271A8EBAD5DD75232DA4D73B1B5EDC7A142D63FE0F86B65D6D3259EC018ABCD2174D02E29940D7A1C5D7BAD605EE9E2BC
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.924030138642164
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLgnh8P:8S+OBIUjOdwiOdYVjjwLgh8P
MD5:	0B2E20423637155340D99AA2A381B3DE
SHA1:	5A5B27666F55CF17884A79F6098E6A00789F08A3
SHA-256:	E57FA8C696694018BA5661F10569287D752905DAB7E0EE66692790D0D81021FC
SHA-512:	CDE96F21C09C91B349A57B1EB1256D0271A8EBAD5DD75232DA4D73B1B5EDC7A142D63FE0F86B65D6D3259EC018ABCD2174D02E29940D7A1C5D7BAD605EE9E2BC
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07335394080534155
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkid:DLhesh7Owd4+ji
MD5:	B5C473AA27F6AC6203438B978628877A
SHA1:	FC82AD4B0619338D0423A03F46D302091B0D3843
SHA-256:	A2A1517F3C48CE8A40F90FC8C3CADEC03344B1347FC77AA58DFBC51CF8E27AAD
SHA-512:	32C9B14C715B00CD8AE009FB06BA053392AC76E0526DFBE9DDCCB745000DEFBF401F7D1FE7A314F6328BAF53D708A3B789E26B980174ADB6A6C8C61D54375DA8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03951915346124436
Encrypted:	false
SSDEEP:	3:GHlhVRF5cyWwGk4m5HlhVRF5cyWwGk4mFl8a9//Ylll4llqlyllel4lt:G7Vmy6m57Vmy6mfL9XIwlio
MD5:	4A68834CFDB7C702C0E779605AE13CB2
SHA1:	CDFFB74D922668BEEDDD9F9785AD4171C7787F7C
SHA-256:	F39BC23F2A10C3524F728C0E3918C50F58F02049B0B65834A5BB6276DCC773A3
SHA-512:	BA573B8D798C88F7863293FD1C6E624FEDF7A9CABD758FDDD3B056150DE15BF2D9AE7489C55E04B638AA47D2D45E07A4A70D529DA2F5BA864CCFD8193BC973AE
Malicious:	false
Preview:	..-......................H.....e.sC..G....:^......-......................H.....e.sC..G....:^............................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11778241587377851
Encrypted:	false
SSDEEP:	24:KriXfkzW+SLxsZ+djxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsaxpwldicVZ2i7+:9MSLQaJtUnWdU+RVxSyqZk
MD5:	8C8FE06EEF8865F2EFD500036F44093F
SHA1:	157F947395AE0F83DC57C2BA790F108C25FA60FD
SHA-256:	812E4765FEE7DA8E7B4962A857188F516AA1CCF9FD6EF118863153EE099DFF8E
SHA-512:	0B479EEDCA7D3A234C4A2571319A2024C5BFFD401366534951DE33E9C6F3481B354143B6A34966EBD5925C10054816B4382DB0968F9CA7619AD01D71D9CD9695
Malicious:	false
Preview:	7....-...........sC..G..x.v.26...........sC..G.....A....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.492780426659284
Encrypted:	false
SSDEEP:	192:8naRtLYbBp6cdhj4qyaaXW6KqBNgc5RfGNBw8d4WSl:ReAqmxLlcw60
MD5:	5B37DA9F750396F18DF52449EA17B392
SHA1:	A2D2E13982775DB96DE63F41CC1029C829802C58
SHA-256:	CDD6F803CB9D1BB8715BCB52152AFC1C8B78D14C3026013D9FDD67ACB74A9655
SHA-512:	6C2767C9EB54470FC791D8A0CE63716E5E034D1ED8A243A6F9159265F7E95B7B3B4938B9941FDC90570EC155890DBE6339811C4E5BB399B3385118E330102EB0
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732401087);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732401087);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732401087);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173240

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.492780426659284
Encrypted:	false
SSDEEP:	192:8naRtLYbBp6cdhj4qyaaXW6KqBNgc5RfGNBw8d4WSl:ReAqmxLlcw60
MD5:	5B37DA9F750396F18DF52449EA17B392
SHA1:	A2D2E13982775DB96DE63F41CC1029C829802C58
SHA-256:	CDD6F803CB9D1BB8715BCB52152AFC1C8B78D14C3026013D9FDD67ACB74A9655
SHA-512:	6C2767C9EB54470FC791D8A0CE63716E5E034D1ED8A243A6F9159265F7E95B7B3B4938B9941FDC90570EC155890DBE6339811C4E5BB399B3385118E330102EB0
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732401087);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732401087);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732401087);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173240

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.3335366719298865
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS3LXnIg3I/pnxQwRlszT5sKt0x3eHVQj6TvamhujJlOsIomNVr0aDO:GUpOxCPgnR6S3eHTv4JlIquR4
MD5:	4867334641857F1FA79487F7A28F1E00
SHA1:	50E843D8E8C5C75DCA4CD8D7F0D36B0B41FB47AD
SHA-256:	E424AD5A8E478CE3331AF0823AEA70ED6E77CA89B60E92964478D6D2B96B5FA1
SHA-512:	A4B55345EF7E13D65615C61D77E05EA4AF00B09C55CCCEA6A8063F84DBFF5E0CE44E296B57E58EED67E084F7D8100DF033121DB9AA413432B8384FA99396A217
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ed23faa0-62af-4455-bf65-1c1f1114870f}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732401091700,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P56215...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...63303,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.3335366719298865
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS3LXnIg3I/pnxQwRlszT5sKt0x3eHVQj6TvamhujJlOsIomNVr0aDO:GUpOxCPgnR6S3eHTv4JlIquR4
MD5:	4867334641857F1FA79487F7A28F1E00
SHA1:	50E843D8E8C5C75DCA4CD8D7F0D36B0B41FB47AD
SHA-256:	E424AD5A8E478CE3331AF0823AEA70ED6E77CA89B60E92964478D6D2B96B5FA1
SHA-512:	A4B55345EF7E13D65615C61D77E05EA4AF00B09C55CCCEA6A8063F84DBFF5E0CE44E296B57E58EED67E084F7D8100DF033121DB9AA413432B8384FA99396A217
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ed23faa0-62af-4455-bf65-1c1f1114870f}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732401091700,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P56215...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...63303,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.3335366719298865
Encrypted:	false
SSDEEP:	24:v+USUGlcAxS3LXnIg3I/pnxQwRlszT5sKt0x3eHVQj6TvamhujJlOsIomNVr0aDO:GUpOxCPgnR6S3eHTv4JlIquR4
MD5:	4867334641857F1FA79487F7A28F1E00
SHA1:	50E843D8E8C5C75DCA4CD8D7F0D36B0B41FB47AD
SHA-256:	E424AD5A8E478CE3331AF0823AEA70ED6E77CA89B60E92964478D6D2B96B5FA1
SHA-512:	A4B55345EF7E13D65615C61D77E05EA4AF00B09C55CCCEA6A8063F84DBFF5E0CE44E296B57E58EED67E084F7D8100DF033121DB9AA413432B8384FA99396A217
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{ed23faa0-62af-4455-bf65-1c1f1114870f}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732401091700,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P56215...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...63303,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033671211048153
Encrypted:	false
SSDEEP:	96:ycSb4jyTEr5QFRzzcMvbw6KkCrrc2Rn27:DmTEr5QFRzSzhRe
MD5:	14CFCA460A35545FC7E9ADB765F5984D
SHA1:	D52A254B09ADE82106C55AD0021D014BF60C5D0D
SHA-256:	EAA960B3ED48271ABEE15FC85E486D447EEA35FC5B23FDE1ABA7E604C52864FE
SHA-512:	F27C47F3703CC6A9218C3B388043B047A466431754488C9EACB35D43EDAACE46BB881F7F9BC4899314275BD6160835FEC0991E30E89D3C540582766B03C1DD89
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T22:31:14.617Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.033671211048153
Encrypted:	false
SSDEEP:	96:ycSb4jyTEr5QFRzzcMvbw6KkCrrc2Rn27:DmTEr5QFRzSzhRe
MD5:	14CFCA460A35545FC7E9ADB765F5984D
SHA1:	D52A254B09ADE82106C55AD0021D014BF60C5D0D
SHA-256:	EAA960B3ED48271ABEE15FC85E486D447EEA35FC5B23FDE1ABA7E604C52864FE
SHA-512:	F27C47F3703CC6A9218C3B388043B047A466431754488C9EACB35D43EDAACE46BB881F7F9BC4899314275BD6160835FEC0991E30E89D3C540582766B03C1DD89
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T22:31:14.617Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.592833250560139
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'624 bytes
MD5:	369171ab2e220e54f6822ef6c36fe248
SHA1:	7c99d97ff7ed3c2386a96ed83ecf93fd54486709
SHA256:	b9a0ed323b9c0e231a7fdffb9156da895613c4c6650564183bb19e0c507525eb
SHA512:	04ee0f4d27b0e1bcb8cc67769876a1a7958de71e0808ca238b86195b2c2854e6aefe84faff8069cc2741dd2ef1f8636f794a154fcf86bc23802982aa7b086c92
SSDEEP:	12288:SqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaCT5:SqDEvCTbMWu7rQYlBQcBiT6rprG8ai5
TLSH:	E3159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67423E50 [Sat Nov 23 20:42:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F41F8C6AAB3h
jmp 00007F41F8C6A3BFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F41F8C6A59Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F41F8C6A56Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F41F8C6D15Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F41F8C6D1A8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F41F8C6D191h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa990	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa990	0xaa00	aab952374d07e92266bf01065de89d59	False	0.37614889705882354	data	5.654433159003555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1c56	data			1.0015164047422112
RT_GROUP_ICON	0xde410	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde488	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde49c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde4b0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde4c4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde5a0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 22:06:57.389838934 CET	49737	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:06:57.389944077 CET	443	49737	35.190.72.216	192.168.2.4
Nov 23, 2024 22:06:57.390923023 CET	49737	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:06:57.396297932 CET	49737	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:06:57.396384001 CET	443	49737	35.190.72.216	192.168.2.4
Nov 23, 2024 22:06:58.659679890 CET	443	49737	35.190.72.216	192.168.2.4
Nov 23, 2024 22:06:58.659959078 CET	49737	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:06:58.667779922 CET	49737	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:06:58.667877913 CET	443	49737	35.190.72.216	192.168.2.4
Nov 23, 2024 22:06:58.667943001 CET	49737	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:06:58.668045998 CET	443	49737	35.190.72.216	192.168.2.4
Nov 23, 2024 22:06:58.670279026 CET	49737	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:06:59.494075060 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:06:59.494122028 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 22:06:59.494236946 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:06:59.494333982 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 22:06:59.494476080 CET	49740	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:06:59.501077890 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:06:59.501529932 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:06:59.502546072 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:06:59.502563000 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 22:06:59.504010916 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:06:59.504097939 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 22:06:59.614069939 CET	80	49740	34.107.221.82	192.168.2.4
Nov 23, 2024 22:06:59.618686914 CET	49740	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:06:59.618686914 CET	49740	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:06:59.741357088 CET	80	49740	34.107.221.82	192.168.2.4
Nov 23, 2024 22:06:59.826405048 CET	49742	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:06:59.826497078 CET	443	49742	34.117.188.166	192.168.2.4
Nov 23, 2024 22:06:59.826620102 CET	49742	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:06:59.828175068 CET	49742	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:06:59.828259945 CET	443	49742	34.117.188.166	192.168.2.4
Nov 23, 2024 22:06:59.842499971 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:06:59.842545033 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 22:06:59.842603922 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:06:59.856575012 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:06:59.856591940 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:00.019629955 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 22:07:00.019674063 CET	443	49744	34.160.144.191	192.168.2.4
Nov 23, 2024 22:07:00.020216942 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 22:07:00.020358086 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 22:07:00.020370960 CET	443	49744	34.160.144.191	192.168.2.4
Nov 23, 2024 22:07:00.614895105 CET	49745	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:00.614933968 CET	443	49745	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:00.615730047 CET	49745	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:00.615921021 CET	49745	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:00.615927935 CET	443	49745	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:00.866260052 CET	80	49740	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:00.922213078 CET	49740	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:01.274547100 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:01.276289940 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:01.282125950 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:01.282135963 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:01.282227993 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:01.282283068 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:01.282362938 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:01.290106058 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 22:07:01.290117025 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 22:07:01.290785074 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 22:07:01.292109966 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:07:01.292123079 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 22:07:01.296252966 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:07:01.296264887 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 22:07:01.296344995 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:07:01.296396017 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 22:07:01.297245979 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:07:01.298423052 CET	443	49742	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:01.298506021 CET	49742	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:01.324259043 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 22:07:01.324269056 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 22:07:01.324965000 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 22:07:01.328578949 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:07:01.328645945 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 22:07:01.349227905 CET	443	49744	34.160.144.191	192.168.2.4
Nov 23, 2024 22:07:01.349355936 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 22:07:01.370644093 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:07:01.416052103 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 22:07:01.416073084 CET	443	49744	34.160.144.191	192.168.2.4
Nov 23, 2024 22:07:01.416286945 CET	443	49744	34.160.144.191	192.168.2.4
Nov 23, 2024 22:07:01.418833017 CET	49742	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:01.418879032 CET	443	49742	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:01.418899059 CET	49742	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:01.419006109 CET	443	49742	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:01.419657946 CET	49742	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:01.420785904 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 22:07:01.420847893 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 22:07:01.420912027 CET	443	49744	34.160.144.191	192.168.2.4
Nov 23, 2024 22:07:01.421050072 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 22:07:01.421643019 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:07:01.421700954 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 22:07:01.421746016 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:07:01.421865940 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 22:07:01.421955109 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 22:07:01.632411003 CET	49746	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:01.635023117 CET	49747	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:01.635052919 CET	443	49747	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:01.639991999 CET	49747	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:01.641315937 CET	49747	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:01.641328096 CET	443	49747	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:01.682697058 CET	49740	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:01.752026081 CET	80	49746	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:01.756547928 CET	49746	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:01.756717920 CET	49746	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:01.802625895 CET	80	49740	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:01.876576900 CET	80	49746	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:01.913388968 CET	443	49745	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:01.913467884 CET	49745	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:01.916580915 CET	49745	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:01.916585922 CET	443	49745	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:01.917115927 CET	443	49745	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:01.919126987 CET	49745	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:01.919194937 CET	49745	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:01.919361115 CET	443	49745	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:01.919434071 CET	49745	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:02.016587019 CET	80	49740	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:02.024247885 CET	49740	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:02.033617020 CET	49746	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:02.043159008 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:02.146068096 CET	80	49740	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:02.146117926 CET	49740	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:02.164700985 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:02.164777040 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:02.164892912 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:02.194993973 CET	80	49746	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:02.218585014 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:02.284977913 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:02.338929892 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:02.338996887 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:02.339121103 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:02.459672928 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:02.685050964 CET	80	49746	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:02.685102940 CET	49746	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:02.904784918 CET	443	49747	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:02.904846907 CET	49747	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:02.908788919 CET	49747	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:02.908801079 CET	443	49747	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:02.908936024 CET	443	49747	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:02.908958912 CET	49747	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:02.908965111 CET	443	49747	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:02.909380913 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:02.909416914 CET	443	49752	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:02.910742998 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:02.912166119 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:02.912179947 CET	443	49752	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:03.123333931 CET	443	49747	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:03.123410940 CET	49747	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:03.251017094 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:03.307291031 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:03.471482992 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:03.523629904 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:04.223823071 CET	443	49752	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:04.224056005 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:04.227858067 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:04.227869034 CET	443	49752	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:04.227952003 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:04.228003979 CET	443	49752	34.117.188.166	192.168.2.4
Nov 23, 2024 22:07:04.228075981 CET	49752	443	192.168.2.4	34.117.188.166
Nov 23, 2024 22:07:06.457683086 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:06.463668108 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:06.463761091 CET	443	49753	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:06.465138912 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:06.466728926 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:06.466814041 CET	443	49753	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:06.579440117 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:06.597786903 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:06.597872019 CET	443	49754	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:06.598005056 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:06.599416971 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:06.599456072 CET	443	49754	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:06.774852037 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:06.828710079 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:07.639923096 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:07.729691982 CET	443	49753	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:07.731359005 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:07.735101938 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:07.735132933 CET	443	49753	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:07.735203981 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:07.735297918 CET	443	49753	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:07.735600948 CET	49753	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:07.762063980 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:07.816826105 CET	49756	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:07.816854000 CET	443	49756	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:07.816972971 CET	443	49754	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:07.823332071 CET	443	49754	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:07.831785917 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:07.831917048 CET	49756	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:07.833683968 CET	49756	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:07.833698988 CET	443	49756	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:07.835774899 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:07.835803986 CET	443	49754	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:07.835850954 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:07.836040020 CET	443	49754	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:07.836779118 CET	49757	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:07.836829901 CET	443	49757	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:07.838139057 CET	49754	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:07.838197947 CET	49757	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:07.839545965 CET	49757	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:07.839576006 CET	443	49757	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:07.966258049 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:08.016571045 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:08.732110023 CET	49759	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:08.732131958 CET	443	49759	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:08.732630968 CET	49759	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:08.733800888 CET	49759	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:08.733813047 CET	443	49759	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:08.733951092 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:08.853521109 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:09.065663099 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:09.115530014 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:09.208012104 CET	443	49756	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:09.208024979 CET	443	49756	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:09.208120108 CET	49756	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:09.211034060 CET	49756	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:09.211046934 CET	443	49756	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:09.211278915 CET	443	49756	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:09.213248014 CET	443	49757	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:09.213478088 CET	49757	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:09.215981960 CET	49756	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:09.216022015 CET	49756	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:09.216135025 CET	443	49756	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:09.216245890 CET	49756	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:09.218261003 CET	49757	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:09.218293905 CET	443	49757	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:09.218350887 CET	49757	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:09.218487024 CET	443	49757	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:09.218545914 CET	49757	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:10.042886019 CET	443	49759	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:10.042973042 CET	49759	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:10.046767950 CET	49759	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:10.046777010 CET	443	49759	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:10.046864986 CET	49759	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:10.046906948 CET	443	49759	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:10.046968937 CET	49759	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:10.311676025 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:10.431272984 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:10.596529961 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:10.596563101 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:10.598695040 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:10.600086927 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:10.600104094 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:10.637409925 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:10.679133892 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:11.191701889 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:11.203717947 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:11.203752041 CET	443	49763	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:11.205921888 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:11.206078053 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:11.206089020 CET	443	49763	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:11.214957952 CET	49764	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:11.215044975 CET	443	49764	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:11.215934992 CET	49764	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:11.216083050 CET	49764	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:11.216120958 CET	443	49764	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:11.311341047 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:11.506970882 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:11.575782061 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:11.859679937 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:11.859766006 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:11.910300016 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:11.910317898 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:11.910446882 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:11.910475016 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:11.910482883 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:11.910542011 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:11.964477062 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:12.084975958 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:12.289695024 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:12.340379953 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:12.467667103 CET	443	49763	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:12.469027042 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:12.471519947 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:12.471529007 CET	443	49763	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:12.471762896 CET	443	49763	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:12.473958015 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:12.474041939 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:12.474096060 CET	443	49763	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:12.474203110 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:12.475939035 CET	443	49764	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:12.476027966 CET	49764	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:12.478342056 CET	49764	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:12.478372097 CET	443	49764	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:12.478615046 CET	443	49764	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:12.480613947 CET	49764	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:12.480705976 CET	49764	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:12.480746984 CET	443	49764	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:12.480808020 CET	49764	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:12.600044012 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:12.719643116 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:12.730581999 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:12.851722002 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:12.922714949 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:12.964167118 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:13.054454088 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:13.095721960 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:13.250197887 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:13.376612902 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:13.571783066 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:13.612767935 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:14.156709909 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:14.156799078 CET	443	49767	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:14.169332981 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:14.170665026 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:14.170717955 CET	443	49767	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:15.474526882 CET	443	49767	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:15.474543095 CET	443	49767	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:15.474637032 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:16.145904064 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:16.145991087 CET	443	49767	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:16.146037102 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:16.146205902 CET	443	49767	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:16.146289110 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:17.359832048 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:17.479521990 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:17.766325951 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:17.769068956 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:17.809184074 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:17.888952017 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:18.085438013 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:18.141258001 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:25.463526964 CET	49769	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:25.463570118 CET	443	49769	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:25.469458103 CET	49769	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:25.469522953 CET	49769	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:25.469532013 CET	443	49769	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:25.488867044 CET	49770	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:25.488883972 CET	443	49770	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:25.491007090 CET	49770	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:25.491161108 CET	49770	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:25.491172075 CET	443	49770	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:25.494195938 CET	49771	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:07:25.494204044 CET	443	49771	35.190.72.216	192.168.2.4
Nov 23, 2024 22:07:25.496016026 CET	49771	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:07:25.497283936 CET	49771	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:07:25.497292995 CET	443	49771	35.190.72.216	192.168.2.4
Nov 23, 2024 22:07:25.715723038 CET	49772	443	192.168.2.4	151.101.65.91
Nov 23, 2024 22:07:25.715780973 CET	443	49772	151.101.65.91	192.168.2.4
Nov 23, 2024 22:07:25.715902090 CET	49772	443	192.168.2.4	151.101.65.91
Nov 23, 2024 22:07:25.716077089 CET	49772	443	192.168.2.4	151.101.65.91
Nov 23, 2024 22:07:25.716093063 CET	443	49772	151.101.65.91	192.168.2.4
Nov 23, 2024 22:07:25.818218946 CET	49773	443	192.168.2.4	35.201.103.21
Nov 23, 2024 22:07:25.818245888 CET	443	49773	35.201.103.21	192.168.2.4
Nov 23, 2024 22:07:25.818660021 CET	49773	443	192.168.2.4	35.201.103.21
Nov 23, 2024 22:07:25.819943905 CET	49773	443	192.168.2.4	35.201.103.21
Nov 23, 2024 22:07:25.819955111 CET	443	49773	35.201.103.21	192.168.2.4
Nov 23, 2024 22:07:26.484766960 CET	49774	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:26.484802961 CET	443	49774	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:26.485122919 CET	49774	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:26.486284971 CET	49774	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:26.486295938 CET	443	49774	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:26.726890087 CET	443	49769	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:26.726979971 CET	49769	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:26.729701996 CET	49769	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:26.729713917 CET	443	49769	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:26.729912996 CET	443	49769	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:26.731797934 CET	49769	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:26.731878996 CET	49769	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:26.731905937 CET	443	49769	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:26.732129097 CET	49769	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:26.736233950 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:26.748645067 CET	443	49770	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:26.750036001 CET	49770	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:26.755476952 CET	49770	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:26.755486012 CET	443	49770	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:26.755709887 CET	443	49770	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:26.755851030 CET	443	49771	35.190.72.216	192.168.2.4
Nov 23, 2024 22:07:26.756067991 CET	49771	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:07:26.759428978 CET	49770	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:26.759506941 CET	49770	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:26.759555101 CET	443	49770	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:26.760380030 CET	49771	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:07:26.760384083 CET	443	49771	35.190.72.216	192.168.2.4
Nov 23, 2024 22:07:26.760432005 CET	49771	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:07:26.760503054 CET	443	49771	35.190.72.216	192.168.2.4
Nov 23, 2024 22:07:26.760658026 CET	49770	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:26.760746956 CET	49771	443	192.168.2.4	35.190.72.216
Nov 23, 2024 22:07:26.855784893 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:27.021847010 CET	443	49772	151.101.65.91	192.168.2.4
Nov 23, 2024 22:07:27.021933079 CET	49772	443	192.168.2.4	151.101.65.91
Nov 23, 2024 22:07:27.024481058 CET	49772	443	192.168.2.4	151.101.65.91
Nov 23, 2024 22:07:27.024491072 CET	443	49772	151.101.65.91	192.168.2.4
Nov 23, 2024 22:07:27.024684906 CET	443	49772	151.101.65.91	192.168.2.4
Nov 23, 2024 22:07:27.026602030 CET	49772	443	192.168.2.4	151.101.65.91
Nov 23, 2024 22:07:27.026674032 CET	49772	443	192.168.2.4	151.101.65.91
Nov 23, 2024 22:07:27.026710987 CET	443	49772	151.101.65.91	192.168.2.4
Nov 23, 2024 22:07:27.032226086 CET	49772	443	192.168.2.4	151.101.65.91
Nov 23, 2024 22:07:27.033675909 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:27.033696890 CET	443	49775	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:27.033770084 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:27.033886909 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:27.033901930 CET	443	49775	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:27.035613060 CET	49776	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:27.035644054 CET	443	49776	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:27.035891056 CET	49776	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:27.035981894 CET	49776	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:27.035993099 CET	443	49776	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:27.037713051 CET	49777	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:27.037801027 CET	443	49777	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:27.038180113 CET	49777	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:27.038270950 CET	49777	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:27.038326025 CET	443	49777	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:27.059972048 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:27.062242031 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:27.104257107 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:27.131828070 CET	443	49773	35.201.103.21	192.168.2.4
Nov 23, 2024 22:07:27.131895065 CET	49773	443	192.168.2.4	35.201.103.21
Nov 23, 2024 22:07:27.136719942 CET	49773	443	192.168.2.4	35.201.103.21
Nov 23, 2024 22:07:27.136727095 CET	443	49773	35.201.103.21	192.168.2.4
Nov 23, 2024 22:07:27.136805058 CET	49773	443	192.168.2.4	35.201.103.21
Nov 23, 2024 22:07:27.136908054 CET	443	49773	35.201.103.21	192.168.2.4
Nov 23, 2024 22:07:27.137974977 CET	49773	443	192.168.2.4	35.201.103.21
Nov 23, 2024 22:07:27.139245987 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:27.147221088 CET	49778	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:27.147260904 CET	443	49778	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:27.147392988 CET	49778	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:27.147495031 CET	49778	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:27.147505045 CET	443	49778	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:27.182393074 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:27.258969069 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:27.383472919 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:27.436353922 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:27.466509104 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:27.469350100 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:27.511198044 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:27.589004993 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:27.754849911 CET	443	49774	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:27.756027937 CET	49774	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:27.760948896 CET	49774	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:27.760957003 CET	443	49774	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:27.761023998 CET	49774	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:27.761107922 CET	443	49774	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:27.761153936 CET	49774	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:27.763535023 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:27.784369946 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:27.837500095 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:27.883094072 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:28.088228941 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:28.090720892 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:28.138336897 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:28.211204052 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:28.252521992 CET	443	49775	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:28.252593994 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.255342960 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.255352974 CET	443	49775	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:28.255552053 CET	443	49775	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:28.258220911 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.258315086 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.258338928 CET	443	49775	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:28.259602070 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.262926102 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:28.371989965 CET	443	49777	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:28.372057915 CET	49777	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.374327898 CET	49777	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.374341011 CET	443	49777	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:28.374541998 CET	443	49777	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:28.376910925 CET	49777	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.376981020 CET	49777	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.377032995 CET	443	49777	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:28.377579927 CET	49777	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.484198093 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:28.484210014 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:28.486284018 CET	443	49776	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:28.486412048 CET	443	49778	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:28.488864899 CET	49776	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.489027977 CET	49778	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:28.491571903 CET	49776	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.491588116 CET	443	49776	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:28.491789103 CET	443	49776	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:28.493911028 CET	49778	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:28.493922949 CET	443	49778	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:28.494141102 CET	443	49778	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:28.497298956 CET	49776	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.497355938 CET	49776	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.497421980 CET	443	49776	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:28.498379946 CET	49778	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:28.498440981 CET	49778	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:28.498511076 CET	443	49778	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:28.503333092 CET	443	49778	34.149.100.209	192.168.2.4
Nov 23, 2024 22:07:28.507333994 CET	443	49776	35.244.181.201	192.168.2.4
Nov 23, 2024 22:07:28.507636070 CET	49776	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.507653952 CET	49778	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:28.507669926 CET	49776	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.507684946 CET	49778	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:28.507684946 CET	49778	443	192.168.2.4	34.149.100.209
Nov 23, 2024 22:07:28.507703066 CET	49776	443	192.168.2.4	35.244.181.201
Nov 23, 2024 22:07:28.523864985 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:28.586980104 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:28.589128971 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:28.639852047 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:28.709111929 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:28.907514095 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:28.956234932 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:38.599507093 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:38.719290972 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:38.915843964 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:39.035489082 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:48.727751017 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:48.759092093 CET	49781	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:48.759129047 CET	443	49781	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:48.759462118 CET	49781	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:48.760677099 CET	49781	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:48.760689020 CET	443	49781	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:48.852303982 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:49.044231892 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:49.163999081 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:50.017081976 CET	443	49781	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:50.017165899 CET	49781	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:50.023058891 CET	49781	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:50.023065090 CET	443	49781	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:50.023176908 CET	443	49781	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:50.023185968 CET	49781	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:50.023190022 CET	443	49781	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:50.027472973 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:50.147119045 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:50.231337070 CET	443	49781	34.107.243.93	192.168.2.4
Nov 23, 2024 22:07:50.231410027 CET	49781	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:07:50.351484060 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:50.355117083 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:50.404632092 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:50.474632025 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:50.671420097 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:50.718173027 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:55.102405071 CET	49793	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:55.102444887 CET	443	49793	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:55.102566957 CET	49794	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:55.102593899 CET	443	49794	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:55.102689981 CET	49795	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:55.102701902 CET	443	49795	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:55.103254080 CET	49793	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:55.103276968 CET	49794	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:55.103283882 CET	49795	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:55.103566885 CET	49793	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:55.103585005 CET	443	49793	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:55.103823900 CET	49795	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:55.103837967 CET	443	49795	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:55.103965044 CET	49794	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:55.103974104 CET	443	49794	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.318780899 CET	443	49795	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.323333979 CET	443	49795	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.327928066 CET	49795	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.332087040 CET	49795	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.332101107 CET	443	49795	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.332308054 CET	443	49795	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.335067034 CET	49795	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.335143089 CET	49795	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.335185051 CET	443	49795	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.335445881 CET	49795	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.340436935 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:56.365375996 CET	443	49793	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.366076946 CET	49793	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.369355917 CET	49793	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.369364023 CET	443	49793	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.369602919 CET	443	49793	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.372308969 CET	443	49794	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.372353077 CET	49793	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.372464895 CET	49793	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.372469902 CET	443	49793	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.372479916 CET	443	49793	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.372994900 CET	49794	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.374845028 CET	49793	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.376887083 CET	49794	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.376893044 CET	443	49794	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.377213001 CET	443	49794	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.379787922 CET	49794	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.379884958 CET	49794	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.379981995 CET	443	49794	34.120.208.123	192.168.2.4
Nov 23, 2024 22:07:56.380692959 CET	49794	443	192.168.2.4	34.120.208.123
Nov 23, 2024 22:07:56.460072994 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:56.664875031 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:56.668734074 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:56.713578939 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:07:56.795228958 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:57.194974899 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:07:57.246262074 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:06.673867941 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:06.798192024 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:08:07.206434965 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:07.326170921 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:08:16.808890104 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:16.928524971 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:08:17.341377974 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:17.461124897 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:08:26.937254906 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:27.057094097 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:08:27.469981909 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:27.659691095 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:08:30.050766945 CET	49872	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:08:30.050856113 CET	443	49872	34.107.243.93	192.168.2.4
Nov 23, 2024 22:08:30.051065922 CET	49872	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:08:30.052375078 CET	49872	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:08:30.052427053 CET	443	49872	34.107.243.93	192.168.2.4
Nov 23, 2024 22:08:31.265993118 CET	443	49872	34.107.243.93	192.168.2.4
Nov 23, 2024 22:08:31.266078949 CET	49872	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:08:31.272373915 CET	49872	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:08:31.272416115 CET	443	49872	34.107.243.93	192.168.2.4
Nov 23, 2024 22:08:31.272468090 CET	49872	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:08:31.272532940 CET	443	49872	34.107.243.93	192.168.2.4
Nov 23, 2024 22:08:31.273518085 CET	49872	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:08:31.275577068 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:31.397700071 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:08:31.602036953 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:08:31.605917931 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:31.650923967 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:31.725682974 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:08:31.922739029 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:08:31.967331886 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:41.609160900 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:41.728821993 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:08:41.925631046 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:42.045224905 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:08:51.738519907 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:51.864391088 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:08:52.054969072 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:08:52.174595118 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:01.867625952 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:01.987521887 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:02.184005976 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:02.310009003 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:11.996938944 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:12.116827965 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:12.313426971 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:12.434984922 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:22.141938925 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:22.261542082 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:22.442790985 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:22.569029093 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:32.270914078 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:32.394608021 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:32.571772099 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:32.691566944 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:42.400748014 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:42.520483017 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:42.701639891 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:42.821574926 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:51.569463968 CET	50051	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:09:51.569520950 CET	443	50051	34.107.243.93	192.168.2.4
Nov 23, 2024 22:09:51.569602966 CET	50051	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:09:51.571005106 CET	50051	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:09:51.571026087 CET	443	50051	34.107.243.93	192.168.2.4
Nov 23, 2024 22:09:52.530016899 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:52.650966883 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:52.789191961 CET	443	50051	34.107.243.93	192.168.2.4
Nov 23, 2024 22:09:52.789309025 CET	50051	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:09:52.795701027 CET	50051	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:09:52.795707941 CET	443	50051	34.107.243.93	192.168.2.4
Nov 23, 2024 22:09:52.795825005 CET	50051	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:09:52.795875072 CET	443	50051	34.107.243.93	192.168.2.4
Nov 23, 2024 22:09:52.796761036 CET	50051	443	192.168.2.4	34.107.243.93
Nov 23, 2024 22:09:52.798732042 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:52.830899000 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:52.918394089 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:52.950663090 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:53.123164892 CET	80	49750	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:53.126712084 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:53.169637918 CET	49750	80	192.168.2.4	34.107.221.82
Nov 23, 2024 22:09:53.246563911 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:53.441761971 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 22:09:53.489762068 CET	49749	80	192.168.2.4	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 22:06:57.390403032 CET	51841	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:57.529000044 CET	53	51841	1.1.1.1	192.168.2.4
Nov 23, 2024 22:06:57.530128002 CET	49786	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:57.852202892 CET	53	49786	1.1.1.1	192.168.2.4
Nov 23, 2024 22:06:59.086440086 CET	53143	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:59.087357044 CET	54227	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:59.230237007 CET	53	53143	1.1.1.1	192.168.2.4
Nov 23, 2024 22:06:59.494966984 CET	50574	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:59.495265007 CET	61570	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:59.633517981 CET	53	50574	1.1.1.1	192.168.2.4
Nov 23, 2024 22:06:59.634097099 CET	58259	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:59.634670973 CET	53	61570	1.1.1.1	192.168.2.4
Nov 23, 2024 22:06:59.635265112 CET	57417	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:59.688273907 CET	58876	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:59.704921007 CET	64635	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:59.774977922 CET	53	58259	1.1.1.1	192.168.2.4
Nov 23, 2024 22:06:59.776304960 CET	53	57417	1.1.1.1	192.168.2.4
Nov 23, 2024 22:06:59.825483084 CET	53	58876	1.1.1.1	192.168.2.4
Nov 23, 2024 22:06:59.826459885 CET	50074	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:59.841830015 CET	53	64635	1.1.1.1	192.168.2.4
Nov 23, 2024 22:06:59.842665911 CET	50414	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:59.868684053 CET	62045	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:59.967274904 CET	53	50074	1.1.1.1	192.168.2.4
Nov 23, 2024 22:06:59.967756987 CET	56615	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:06:59.980890036 CET	53	50414	1.1.1.1	192.168.2.4
Nov 23, 2024 22:06:59.981686115 CET	61176	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:00.007692099 CET	53	62045	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:00.020127058 CET	54285	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:00.107096910 CET	53	56615	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:00.121570110 CET	53	61176	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:00.159352064 CET	53	54285	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:00.160022020 CET	55206	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:00.297705889 CET	53	55206	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:00.615391970 CET	60390	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:00.756145000 CET	53	60390	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:00.760790110 CET	55923	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:00.900094032 CET	53	55923	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:01.424257994 CET	60974	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:01.425343990 CET	56705	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:01.487225056 CET	58965	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:01.564516068 CET	53	60974	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:01.564831018 CET	53	56705	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:02.022993088 CET	50457	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:02.350672007 CET	63131	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:02.495115995 CET	53	63131	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:02.495919943 CET	62075	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:02.642209053 CET	53	62075	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:02.642803907 CET	50469	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:02.689052105 CET	53	55157	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:02.781702042 CET	53	50469	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:06.218677998 CET	64528	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:06.356383085 CET	53	64528	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:06.358402014 CET	60617	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:06.498024940 CET	53	60617	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:06.499855995 CET	57578	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:06.597944021 CET	52302	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:06.638564110 CET	53	57578	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:06.735577106 CET	53	52302	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:06.736551046 CET	54601	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:06.879982948 CET	53	54601	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:07.675687075 CET	56467	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:07.679078102 CET	57789	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:07.813059092 CET	53	56467	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:07.816570044 CET	53	57789	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:07.837297916 CET	55935	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:07.975486994 CET	53	55935	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:08.090764999 CET	49588	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:08.227665901 CET	53	49588	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:11.204103947 CET	63610	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:11.343720913 CET	53	63610	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:14.157464981 CET	64513	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:14.295192003 CET	53	64513	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:17.362926960 CET	63874	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:17.363121033 CET	57755	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:17.363209963 CET	58129	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:17.500174999 CET	53	57755	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:17.500896931 CET	56986	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:17.500922918 CET	53	63874	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:17.501607895 CET	54483	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:17.502104998 CET	53	58129	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:17.502731085 CET	56317	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:17.638849020 CET	53	54483	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:17.639441967 CET	52811	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:17.640660048 CET	53	56986	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:17.641119957 CET	56732	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:17.715511084 CET	53	56317	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:17.716051102 CET	53837	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:17.780138969 CET	53	56732	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:17.780683994 CET	62987	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:17.783457041 CET	53	52811	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:17.784012079 CET	56215	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:17.919821978 CET	53	62987	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:17.920312881 CET	64156	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:17.920813084 CET	53	56215	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:17.921232939 CET	60271	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:18.019067049 CET	53	53837	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:18.059601068 CET	53	60271	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:18.060091019 CET	54536	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:18.137557030 CET	53	64156	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:18.138063908 CET	55387	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:18.197362900 CET	53	54536	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:18.420586109 CET	53	55387	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:25.464469910 CET	62710	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:25.484236002 CET	61347	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:25.503148079 CET	63906	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:25.606225967 CET	53	62710	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:25.712429047 CET	53	61347	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:25.715915918 CET	56459	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:25.817462921 CET	53	63906	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:25.818500042 CET	57826	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:25.855360031 CET	53	56459	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:25.855792999 CET	63102	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:25.963654995 CET	53	57826	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:25.964116096 CET	50737	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:26.088562012 CET	53	63102	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:26.101402044 CET	53	50737	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:26.485537052 CET	64676	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:26.624639034 CET	53	64676	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:48.614063978 CET	56262	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:48.758250952 CET	53	56262	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:48.759243011 CET	57723	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:48.897236109 CET	53	57723	1.1.1.1	192.168.2.4
Nov 23, 2024 22:07:55.101591110 CET	59185	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:07:55.241548061 CET	53	59185	1.1.1.1	192.168.2.4
Nov 23, 2024 22:08:30.051000118 CET	52516	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:08:30.189348936 CET	53	52516	1.1.1.1	192.168.2.4
Nov 23, 2024 22:08:31.275820017 CET	64496	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:09:51.284887075 CET	63053	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:09:51.423680067 CET	53	63053	1.1.1.1	192.168.2.4
Nov 23, 2024 22:09:51.426589966 CET	57977	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:09:51.568464994 CET	53	57977	1.1.1.1	192.168.2.4
Nov 23, 2024 22:09:51.569128036 CET	51795	53	192.168.2.4	1.1.1.1
Nov 23, 2024 22:09:51.784177065 CET	53	51795	1.1.1.1	192.168.2.4
Nov 23, 2024 22:09:52.799009085 CET	64761	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 22:06:57.390403032 CET	192.168.2.4	1.1.1.1	0x3333	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:57.530128002 CET	192.168.2.4	1.1.1.1	0xb3c7	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 22:06:59.086440086 CET	192.168.2.4	1.1.1.1	0xe6a8	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.087357044 CET	192.168.2.4	1.1.1.1	0xd90e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.494966984 CET	192.168.2.4	1.1.1.1	0x9cbd	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.495265007 CET	192.168.2.4	1.1.1.1	0xcff5	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.634097099 CET	192.168.2.4	1.1.1.1	0x1f5f	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 23, 2024 22:06:59.635265112 CET	192.168.2.4	1.1.1.1	0xfdd	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 22:06:59.688273907 CET	192.168.2.4	1.1.1.1	0xbae1	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.704921007 CET	192.168.2.4	1.1.1.1	0xaeed	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.826459885 CET	192.168.2.4	1.1.1.1	0x7dac	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.842665911 CET	192.168.2.4	1.1.1.1	0x82d4	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.868684053 CET	192.168.2.4	1.1.1.1	0xb987	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.967756987 CET	192.168.2.4	1.1.1.1	0x9fa5	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 22:06:59.981686115 CET	192.168.2.4	1.1.1.1	0xb560	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 22:07:00.020127058 CET	192.168.2.4	1.1.1.1	0x5429	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:00.160022020 CET	192.168.2.4	1.1.1.1	0xe1d0	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 22:07:00.615391970 CET	192.168.2.4	1.1.1.1	0x19db	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:00.760790110 CET	192.168.2.4	1.1.1.1	0x19ac	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 22:07:01.424257994 CET	192.168.2.4	1.1.1.1	0xea6e	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:01.425343990 CET	192.168.2.4	1.1.1.1	0xefaa	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:01.487225056 CET	192.168.2.4	1.1.1.1	0x8214	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:02.022993088 CET	192.168.2.4	1.1.1.1	0x365b	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:02.350672007 CET	192.168.2.4	1.1.1.1	0xa537	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:02.495919943 CET	192.168.2.4	1.1.1.1	0xb595	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:02.642803907 CET	192.168.2.4	1.1.1.1	0xa20c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 22:07:06.218677998 CET	192.168.2.4	1.1.1.1	0xe3b0	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:06.358402014 CET	192.168.2.4	1.1.1.1	0xdabe	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:06.499855995 CET	192.168.2.4	1.1.1.1	0xba14	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 22:07:06.597944021 CET	192.168.2.4	1.1.1.1	0x284b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:06.736551046 CET	192.168.2.4	1.1.1.1	0xe0bf	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 22:07:07.675687075 CET	192.168.2.4	1.1.1.1	0x8624	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 22:07:07.679078102 CET	192.168.2.4	1.1.1.1	0xdf64	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:07.837297916 CET	192.168.2.4	1.1.1.1	0x2672	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:08.090764999 CET	192.168.2.4	1.1.1.1	0x2205	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 22:07:11.204103947 CET	192.168.2.4	1.1.1.1	0x456d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 22:07:14.157464981 CET	192.168.2.4	1.1.1.1	0x1dee	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 22:07:17.362926960 CET	192.168.2.4	1.1.1.1	0x14a3	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.363121033 CET	192.168.2.4	1.1.1.1	0x2cd9	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.363209963 CET	192.168.2.4	1.1.1.1	0x9400	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500896931 CET	192.168.2.4	1.1.1.1	0xa58c	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.501607895 CET	192.168.2.4	1.1.1.1	0x498b	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.502731085 CET	192.168.2.4	1.1.1.1	0xf2e3	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.639441967 CET	192.168.2.4	1.1.1.1	0xbbc4	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 23, 2024 22:07:17.641119957 CET	192.168.2.4	1.1.1.1	0xf5ca	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 23, 2024 22:07:17.716051102 CET	192.168.2.4	1.1.1.1	0x65a1	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 23, 2024 22:07:17.780683994 CET	192.168.2.4	1.1.1.1	0xed6	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.784012079 CET	192.168.2.4	1.1.1.1	0xcff5	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.920312881 CET	192.168.2.4	1.1.1.1	0x5eb1	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.921232939 CET	192.168.2.4	1.1.1.1	0xb2b2	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:18.060091019 CET	192.168.2.4	1.1.1.1	0xde16	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 23, 2024 22:07:18.138063908 CET	192.168.2.4	1.1.1.1	0x4aa5	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 23, 2024 22:07:25.464469910 CET	192.168.2.4	1.1.1.1	0x9eb2	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 22:07:25.484236002 CET	192.168.2.4	1.1.1.1	0xbbd6	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.503148079 CET	192.168.2.4	1.1.1.1	0x57bd	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.715915918 CET	192.168.2.4	1.1.1.1	0xfafc	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.818500042 CET	192.168.2.4	1.1.1.1	0x8c38	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.855792999 CET	192.168.2.4	1.1.1.1	0x7bd0	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 23, 2024 22:07:25.964116096 CET	192.168.2.4	1.1.1.1	0x2387	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 22:07:26.485537052 CET	192.168.2.4	1.1.1.1	0xeb0b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 22:07:48.614063978 CET	192.168.2.4	1.1.1.1	0x5d13	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:48.759243011 CET	192.168.2.4	1.1.1.1	0x9ae	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 22:07:55.101591110 CET	192.168.2.4	1.1.1.1	0xf345	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 22:08:30.051000118 CET	192.168.2.4	1.1.1.1	0x6a32	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 22:08:31.275820017 CET	192.168.2.4	1.1.1.1	0xa8ae	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:09:51.284887075 CET	192.168.2.4	1.1.1.1	0xebfb	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:09:51.426589966 CET	192.168.2.4	1.1.1.1	0x900a	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:09:51.569128036 CET	192.168.2.4	1.1.1.1	0xda38	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 22:09:52.799009085 CET	192.168.2.4	1.1.1.1	0x3647	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 22:06:57.370116949 CET	1.1.1.1	192.168.2.4	0x8239	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:57.529000044 CET	1.1.1.1	192.168.2.4	0x3333	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.230237007 CET	1.1.1.1	192.168.2.4	0xe6a8	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.231791973 CET	1.1.1.1	192.168.2.4	0xd90e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:06:59.231791973 CET	1.1.1.1	192.168.2.4	0xd90e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.633517981 CET	1.1.1.1	192.168.2.4	0x9cbd	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.634670973 CET	1.1.1.1	192.168.2.4	0xcff5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.774977922 CET	1.1.1.1	192.168.2.4	0x1f5f	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 23, 2024 22:06:59.776304960 CET	1.1.1.1	192.168.2.4	0xfdd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 22:06:59.825483084 CET	1.1.1.1	192.168.2.4	0xbae1	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.841830015 CET	1.1.1.1	192.168.2.4	0xaeed	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:06:59.841830015 CET	1.1.1.1	192.168.2.4	0xaeed	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.967274904 CET	1.1.1.1	192.168.2.4	0x7dac	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:06:59.980890036 CET	1.1.1.1	192.168.2.4	0x82d4	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:00.007692099 CET	1.1.1.1	192.168.2.4	0xb987	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:00.007692099 CET	1.1.1.1	192.168.2.4	0xb987	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:00.007692099 CET	1.1.1.1	192.168.2.4	0xb987	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:00.159352064 CET	1.1.1.1	192.168.2.4	0x5429	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:00.297705889 CET	1.1.1.1	192.168.2.4	0xe1d0	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 22:07:00.613190889 CET	1.1.1.1	192.168.2.4	0x80cc	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:00.613190889 CET	1.1.1.1	192.168.2.4	0x80cc	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:00.756145000 CET	1.1.1.1	192.168.2.4	0x19db	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:01.564516068 CET	1.1.1.1	192.168.2.4	0xea6e	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:01.564831018 CET	1.1.1.1	192.168.2.4	0xefaa	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:01.564831018 CET	1.1.1.1	192.168.2.4	0xefaa	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:01.625623941 CET	1.1.1.1	192.168.2.4	0x8214	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:01.625623941 CET	1.1.1.1	192.168.2.4	0x8214	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:02.234826088 CET	1.1.1.1	192.168.2.4	0x365b	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:02.495115995 CET	1.1.1.1	192.168.2.4	0xa537	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:02.642209053 CET	1.1.1.1	192.168.2.4	0xb595	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:06.356383085 CET	1.1.1.1	192.168.2.4	0xe3b0	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:06.356383085 CET	1.1.1.1	192.168.2.4	0xe3b0	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:06.356383085 CET	1.1.1.1	192.168.2.4	0xe3b0	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:06.498024940 CET	1.1.1.1	192.168.2.4	0xdabe	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:06.596955061 CET	1.1.1.1	192.168.2.4	0x3638	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:06.735577106 CET	1.1.1.1	192.168.2.4	0x284b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:07.812364101 CET	1.1.1.1	192.168.2.4	0xe99b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:07.812364101 CET	1.1.1.1	192.168.2.4	0xe99b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:07.816570044 CET	1.1.1.1	192.168.2.4	0xdf64	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:07.816570044 CET	1.1.1.1	192.168.2.4	0xdf64	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:07.975486994 CET	1.1.1.1	192.168.2.4	0x2672	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:08.350260973 CET	1.1.1.1	192.168.2.4	0xc537	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500174999 CET	1.1.1.1	192.168.2.4	0x2cd9	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500174999 CET	1.1.1.1	192.168.2.4	0x2cd9	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500922918 CET	1.1.1.1	192.168.2.4	0x14a3	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500922918 CET	1.1.1.1	192.168.2.4	0x14a3	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500922918 CET	1.1.1.1	192.168.2.4	0x14a3	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500922918 CET	1.1.1.1	192.168.2.4	0x14a3	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500922918 CET	1.1.1.1	192.168.2.4	0x14a3	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500922918 CET	1.1.1.1	192.168.2.4	0x14a3	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500922918 CET	1.1.1.1	192.168.2.4	0x14a3	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500922918 CET	1.1.1.1	192.168.2.4	0x14a3	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500922918 CET	1.1.1.1	192.168.2.4	0x14a3	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500922918 CET	1.1.1.1	192.168.2.4	0x14a3	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500922918 CET	1.1.1.1	192.168.2.4	0x14a3	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.500922918 CET	1.1.1.1	192.168.2.4	0x14a3	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.502104998 CET	1.1.1.1	192.168.2.4	0x9400	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:17.502104998 CET	1.1.1.1	192.168.2.4	0x9400	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.638849020 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.638849020 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.638849020 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.638849020 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.638849020 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.638849020 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.638849020 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.638849020 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.638849020 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.638849020 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.638849020 CET	1.1.1.1	192.168.2.4	0x498b	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.640660048 CET	1.1.1.1	192.168.2.4	0xa58c	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.715511084 CET	1.1.1.1	192.168.2.4	0xf2e3	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.780138969 CET	1.1.1.1	192.168.2.4	0xf5ca	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 23, 2024 22:07:17.783457041 CET	1.1.1.1	192.168.2.4	0xbbc4	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 22:07:17.783457041 CET	1.1.1.1	192.168.2.4	0xbbc4	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 22:07:17.783457041 CET	1.1.1.1	192.168.2.4	0xbbc4	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 22:07:17.783457041 CET	1.1.1.1	192.168.2.4	0xbbc4	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 22:07:17.919821978 CET	1.1.1.1	192.168.2.4	0xed6	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:17.919821978 CET	1.1.1.1	192.168.2.4	0xed6	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.919821978 CET	1.1.1.1	192.168.2.4	0xed6	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.919821978 CET	1.1.1.1	192.168.2.4	0xed6	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.919821978 CET	1.1.1.1	192.168.2.4	0xed6	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:17.920813084 CET	1.1.1.1	192.168.2.4	0xcff5	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:18.019067049 CET	1.1.1.1	192.168.2.4	0x65a1	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 23, 2024 22:07:18.059601068 CET	1.1.1.1	192.168.2.4	0xb2b2	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:18.059601068 CET	1.1.1.1	192.168.2.4	0xb2b2	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:18.059601068 CET	1.1.1.1	192.168.2.4	0xb2b2	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:18.059601068 CET	1.1.1.1	192.168.2.4	0xb2b2	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:18.137557030 CET	1.1.1.1	192.168.2.4	0x5eb1	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:18.137557030 CET	1.1.1.1	192.168.2.4	0x5eb1	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:18.137557030 CET	1.1.1.1	192.168.2.4	0x5eb1	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:18.137557030 CET	1.1.1.1	192.168.2.4	0x5eb1	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.712429047 CET	1.1.1.1	192.168.2.4	0xbbd6	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.712429047 CET	1.1.1.1	192.168.2.4	0xbbd6	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.712429047 CET	1.1.1.1	192.168.2.4	0xbbd6	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.712429047 CET	1.1.1.1	192.168.2.4	0xbbd6	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.817462921 CET	1.1.1.1	192.168.2.4	0x57bd	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:25.817462921 CET	1.1.1.1	192.168.2.4	0x57bd	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.855360031 CET	1.1.1.1	192.168.2.4	0xfafc	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.855360031 CET	1.1.1.1	192.168.2.4	0xfafc	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.855360031 CET	1.1.1.1	192.168.2.4	0xfafc	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.855360031 CET	1.1.1.1	192.168.2.4	0xfafc	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:25.963654995 CET	1.1.1.1	192.168.2.4	0x8c38	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:26.088562012 CET	1.1.1.1	192.168.2.4	0x7bd0	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 22:07:26.088562012 CET	1.1.1.1	192.168.2.4	0x7bd0	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 22:07:26.088562012 CET	1.1.1.1	192.168.2.4	0x7bd0	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 22:07:26.088562012 CET	1.1.1.1	192.168.2.4	0x7bd0	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 22:07:28.754743099 CET	1.1.1.1	192.168.2.4	0x374f	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:28.754743099 CET	1.1.1.1	192.168.2.4	0x374f	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:07:48.758250952 CET	1.1.1.1	192.168.2.4	0x5d13	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:07:55.100048065 CET	1.1.1.1	192.168.2.4	0xdde1	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:08:31.416197062 CET	1.1.1.1	192.168.2.4	0xa8ae	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:08:31.416197062 CET	1.1.1.1	192.168.2.4	0xa8ae	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:09:51.423680067 CET	1.1.1.1	192.168.2.4	0xebfb	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:09:51.568464994 CET	1.1.1.1	192.168.2.4	0x900a	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 22:09:52.939547062 CET	1.1.1.1	192.168.2.4	0x3647	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 22:09:52.939547062 CET	1.1.1.1	192.168.2.4	0x3647	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	7940	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 22:06:59.618686914 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:00.866260052 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51543 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:07:01.682697058 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:02.016587019 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51544 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	34.107.221.82	80	7940	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 22:07:01.756717920 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	7940	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 22:07:02.164892912 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:07:03.251017094 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71878 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:07:06.457683086 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:07:06.774852037 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71881 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:07:08.733951092 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:07:09.065663099 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71883 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:07:11.191701889 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:07:11.506970882 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71886 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:07:12.600044012 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:07:12.922714949 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71887 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:07:13.250197887 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:07:13.571783066 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71888 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:07:17.769068956 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:07:18.085438013 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71892 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:07:27.062242031 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:07:27.383472919 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71902 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:07:27.469350100 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:07:27.784369946 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71902 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:07:28.090720892 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:07:28.484210014 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71903 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:07:28.589128971 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:07:28.907514095 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71903 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:07:38.915843964 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:07:49.044231892 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:07:50.355117083 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:07:50.671420097 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71925 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:07:56.668734074 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:07:57.194974899 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71931 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:08:07.206434965 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:08:17.341377974 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:08:27.469981909 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:08:31.605917931 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:08:31.922739029 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 71966 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 22:08:41.925631046 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:08:52.054969072 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:09:02.184005976 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:09:12.313426971 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:09:22.442790985 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:09:53.126712084 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 22:09:53.441761971 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 72048 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49750	34.107.221.82	80	7940	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 22:07:02.339121103 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:03.471482992 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51546 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:07:07.639923096 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:07.966258049 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51550 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:07:10.311676025 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:10.637409925 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51553 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:07:11.964477062 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:12.289695024 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51555 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:07:12.730581999 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:13.054454088 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51555 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:07:17.359832048 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:17.766325951 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51560 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:07:26.736233950 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:27.059972048 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51569 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:07:27.139245987 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:27.466509104 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51570 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:07:27.763535023 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:28.088228941 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51570 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:07:28.262926102 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:28.586980104 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51571 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:07:38.599507093 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:07:48.727751017 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:07:50.027472973 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:50.351484060 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51593 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:07:56.340436935 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:07:56.664875031 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51599 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:08:06.673867941 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:08:16.808890104 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:08:26.937254906 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:08:31.275577068 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:08:31.602036953 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51634 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 22:08:41.609160900 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:08:51.738519907 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:09:01.867625952 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:09:11.996938944 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:09:22.141938925 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 22:09:52.798732042 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 22:09:53.123164892 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 51715 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	16:06:49
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7c0000
File size:	922'624 bytes
MD5 hash:	369171AB2E220E54F6822EF6C36FE248
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:06:49
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x790000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:06:49
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:06:51
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x790000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:06:51
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:06:52
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x790000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:06:52
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:06:52
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x790000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:06:52
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:06:52
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x790000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:06:52
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:06:52
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:06:52
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:06:52
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	16:06:53
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88431419-431f-449e-bac4-71b5cf1fdcda} 7940 "\\.\pipe\gecko-crash-server-pipe.7940" 2ca2cf6eb10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	16:06:56
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -parentBuildID 20230927232528 -prefsHandle 876 -prefMapHandle 1040 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c29d4d0f-f96b-4cd9-b96a-0f109be8bb1f} 7940 "\\.\pipe\gecko-crash-server-pipe.7940" 2ca3f0f6010 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	16:07:06
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5424 -prefMapHandle 5432 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72d13148-600e-45f3-99e5-72b76429e2d6} 7940 "\\.\pipe\gecko-crash-server-pipe.7940" 2ca484bb110 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1571
Total number of Limit Nodes:	50

Executed Functions

Function 007C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007C430D

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

GetCurrentProcess.KERNEL32(?,0085CB64,00000000,?,?), ref: 007C4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 007C4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 007C4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007C4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 007C4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 007C447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007C44A0

Strings

|O, xrefs: 008036F8
GetNativeSystemInfo, xrefs: 007C4460
kernel32.dll, xrefs: 007C444F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 89ae806339cffab5701428dfcf288ab79e442882f9d85709ca8a26fcb99afddc
Instruction ID: 877f89cdbcc267a00211539e8e5e73aa2dd8269f22b28fbab3604a7d915e7fef
Opcode Fuzzy Hash: 89ae806339cffab5701428dfcf288ab79e442882f9d85709ca8a26fcb99afddc
Instruction Fuzzy Hash: F2A1856590E3C2DFCF16E7797C496A67FB8BB66300B1C44AFD44193B61D62C4608EB21

Function 007C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007C50AA,?,?,00000000,00000000), ref: 007C42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007C50AA,?,?,00000000,00000000), ref: 007C42C9
LoadResource.KERNEL32(?,00000000,?,?,007C50AA,?,?,00000000,00000000,?,?,?,?,?,?,007C4F20), ref: 008035BE
SizeofResource.KERNEL32(?,00000000,?,?,007C50AA,?,?,00000000,00000000,?,?,?,?,?,?,007C4F20), ref: 008035D3
LockResource.KERNEL32(007C50AA,?,?,007C50AA,?,?,00000000,00000000,?,?,?,?,?,?,007C4F20,?), ref: 008035E6

Strings

SCRIPT, xrefs: 007C42BF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 1ee6d77447cd219d20e929bbe9dff02f2452c3e80102016f9d68713d308c1e92
Instruction ID: bc047b3bcfcb8bc9d01cf56bbc71226552b3774464744a5f2c00cbf489c35105
Opcode Fuzzy Hash: 1ee6d77447cd219d20e929bbe9dff02f2452c3e80102016f9d68713d308c1e92
Instruction Fuzzy Hash: 6B117971200700BFEB218BA5DC49F277BBAFBC5B52F20816DB816D62A0DB75D800DA20

Function 00802BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 007C2B6B

Part of subcall function 007C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00891418,?,007C2E7F,?,?,?,00000000), ref: 007C3A78

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00882224), ref: 00802C10
ShellExecuteW.SHELL32(00000000,?,?,00882224), ref: 00802C17

Strings

runas, xrefs: 00802C0B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c18724271a59cf9547ce7dc59074966b0df94316dfaee1e48094729a84d8437b
Instruction ID: cbadce0eefe39af43e481c5cdded0b2d91fe8c15ac48121c378e466dc42b696e
Opcode Fuzzy Hash: c18724271a59cf9547ce7dc59074966b0df94316dfaee1e48094729a84d8437b
Instruction Fuzzy Hash: A911D231208341DACB14FF60D85DFAEBBA5FB94310F48442DF192420A3DF2C894A8712

Function 0082D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0082D501
Process32FirstW.KERNEL32(00000000,?), ref: 0082D50F
Process32NextW.KERNEL32(00000000,?), ref: 0082D52F
CloseHandle.KERNELBASE(00000000), ref: 0082D5DC

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 76c29e86e6569b3cf1ebff0abb2846410f5c47bd4af646eb6161147924e57cd2
Instruction ID: 363e3dbc7e331407a2c147332b07faf7918c82c9a16b48b469cfed429637e90d
Opcode Fuzzy Hash: 76c29e86e6569b3cf1ebff0abb2846410f5c47bd4af646eb6161147924e57cd2
Instruction Fuzzy Hash: 2D317E711083009FD301EF64D889EAFBBF8FF99354F14092DF581861A1EB75A985CBA2

Function 0082DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00805222), ref: 0082DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0082DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0082DBEE
FindClose.KERNEL32(00000000), ref: 0082DBFA

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: ca123e6a1e36eccb304da8b35d25193fe099bc7dea26776daafd0a8366402a3c
Instruction ID: ff9a2ccd413a4dff525b7b8cbdc600ba942d61089b49f7d392c5eb97ffda219b
Opcode Fuzzy Hash: ca123e6a1e36eccb304da8b35d25193fe099bc7dea26776daafd0a8366402a3c
Instruction Fuzzy Hash: ABF0A030810B245B82206B78AC0D8AA3BACFF01336B104702F836D22E0EBB45994CA96

Function 007E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007F28E9,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002,00000000,?,007F28E9), ref: 007E4D09
TerminateProcess.KERNEL32(00000000,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002,00000000,?,007F28E9), ref: 007E4D10
ExitProcess.KERNEL32 ref: 007E4D22

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a96f1d5e7553ab0fc3254b67230d91c62c2f0c21eb247eb8758fc0829c45234b
Instruction ID: 4d675a6f6074e444ac3f4da08f511a38663f9cd9817dd074c722d9faf71263d5
Opcode Fuzzy Hash: a96f1d5e7553ab0fc3254b67230d91c62c2f0c21eb247eb8758fc0829c45234b
Instruction Fuzzy Hash: 0CE09231101688AFCB11AF65DD09A983B69FB85782B104054FA058A222CB39D942CA80

Function 0084AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0084B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084B1D4
_wcslen.LIBCMT ref: 0084B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084B236
_wcslen.LIBCMT ref: 0084B332

Part of subcall function 008305A7: GetStdHandle.KERNEL32(000000F6), ref: 008305C6

_wcslen.LIBCMT ref: 0084B34B
_wcslen.LIBCMT ref: 0084B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0084B3B6
GetLastError.KERNEL32(00000000), ref: 0084B407
CloseHandle.KERNEL32(?), ref: 0084B439
CloseHandle.KERNEL32(00000000), ref: 0084B44A
CloseHandle.KERNEL32(00000000), ref: 0084B45C
CloseHandle.KERNEL32(00000000), ref: 0084B46E
CloseHandle.KERNEL32(?), ref: 0084B4E3

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 402072d8552b211833c06f6950319691aa054745bda19ace362bd359c4999d3f
Instruction ID: 67d26ea0b7cf247574ad894151ec6a8a7cdb6b4d58bb11d169c773b28d5663d7
Opcode Fuzzy Hash: 402072d8552b211833c06f6950319691aa054745bda19ace362bd359c4999d3f
Instruction Fuzzy Hash: C6F16531608244DFC724EF24C895B2ABBE5FF84314F14855DF8999B2A2CB35EC40CB92

Function 007CD730 Relevance: 21.6, APIs: 14, Instructions: 623sleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007CD807
timeGetTime.WINMM ref: 007CDA07
Sleep.KERNELBASE(0000000A), ref: 007CDBB1

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 520c1a8fa63dab2b6b452efb7c001fb1a7bafb6033f751976ed63f244dae8b3a
Instruction ID: 8ec6db029b2263934147f965f486b12ccf2834d0bc8b02479fe64185be12bfa5
Opcode Fuzzy Hash: 520c1a8fa63dab2b6b452efb7c001fb1a7bafb6033f751976ed63f244dae8b3a
Instruction Fuzzy Hash: 5542AD70608341EFDB35DF24C888FAAB7A5FF85304F14852EE55687291D778AC94CB92

Function 007C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007C2D07
RegisterClassExW.USER32(00000030), ref: 007C2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007C2D42
InitCommonControlsEx.COMCTL32(?), ref: 007C2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007C2D6F
LoadIconW.USER32(000000A9), ref: 007C2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007C2D94

Strings

TaskbarCreated, xrefs: 007C2D37
0, xrefs: 007C2CE9
+, xrefs: 007C2CF0
AutoIt v3 GUI, xrefs: 007C2D23

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c56f464fd07a216dc0c55e20c3a9fc8ed6d7bece3386665310a908e3c5f91bcf
Instruction ID: 37bf9d576a46a9cb043270db42efa9b5cc69a5cdd284c1c3d9e221916fc79750
Opcode Fuzzy Hash: c56f464fd07a216dc0c55e20c3a9fc8ed6d7bece3386665310a908e3c5f91bcf
Instruction Fuzzy Hash: 9F21B2B5905319AFDF00EFA4EC49B9DBFB4FB08B01F14811AFA11A62A0D7B95544CF91

Function 0080065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0080039A: CreateFileW.KERNELBASE(00000000,00000000,?,00800704,?,?,00000000,?,00800704,00000000,0000000C), ref: 008003B7

GetLastError.KERNEL32 ref: 0080076F
__dosmaperr.LIBCMT ref: 00800776
GetFileType.KERNELBASE(00000000), ref: 00800782
GetLastError.KERNEL32 ref: 0080078C
__dosmaperr.LIBCMT ref: 00800795
CloseHandle.KERNEL32(00000000), ref: 008007B5
CloseHandle.KERNEL32(?), ref: 008008FF
GetLastError.KERNEL32 ref: 00800931
__dosmaperr.LIBCMT ref: 00800938

Strings

H, xrefs: 008008BD

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: f12c2bdba94906bd693ed0cd2ce33d9df6858d41d45c9b36e884e0cc3316bf0a
Instruction ID: 76461b565d984ef6a90e71f7766223acc16a769d36a058756c863045d39662f6
Opcode Fuzzy Hash: f12c2bdba94906bd693ed0cd2ce33d9df6858d41d45c9b36e884e0cc3316bf0a
Instruction Fuzzy Hash: 24A13632A002488FDF19AF68DC55BAE3BA0FB06324F14415AF815DB3D2DB359912CF92

Function 007C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00891418,?,007C2E7F,?,?,?,00000000), ref: 007C3A78

Part of subcall function 007C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007C3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007C356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0080318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008031CE
RegCloseKey.ADVAPI32(?), ref: 00803210
_wcslen.LIBCMT ref: 00803277
_wcslen.LIBCMT ref: 00803286

Strings

Software\AutoIt v3\AutoIt, xrefs: 007C3560
\Include\, xrefs: 007C3527
Include, xrefs: 00803184, 008031C5
\, xrefs: 0080328C

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: c6107bce9765ecdf9f15c8726d2ff87c91ff53479a9b640a7a67f2e019b0f87e
Instruction ID: f34e1c1a9b4552f75af602e5985a78e26473695cb287f801d2ed79d84cd9e032
Opcode Fuzzy Hash: c6107bce9765ecdf9f15c8726d2ff87c91ff53479a9b640a7a67f2e019b0f87e
Instruction Fuzzy Hash: F1716C71505301EEC314EF65EC869ABBBE8FF89340B44452EF545D32B1EB389A48DB62

Function 007C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007C2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 007C2B9D
LoadIconW.USER32(00000063), ref: 007C2BB3
LoadIconW.USER32(000000A4), ref: 007C2BC5
LoadIconW.USER32(000000A2), ref: 007C2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007C2BEF
RegisterClassExW.USER32(?), ref: 007C2C40

Part of subcall function 007C2CD4: GetSysColorBrush.USER32(0000000F), ref: 007C2D07
Part of subcall function 007C2CD4: RegisterClassExW.USER32(00000030), ref: 007C2D31
Part of subcall function 007C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007C2D42
Part of subcall function 007C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 007C2D5F
Part of subcall function 007C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007C2D6F
Part of subcall function 007C2CD4: LoadIconW.USER32(000000A9), ref: 007C2D85
Part of subcall function 007C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007C2D94

Strings

0, xrefs: 007C2C0F
#, xrefs: 007C2C16
AutoIt v3, xrefs: 007C2C2F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ebb1f9b92a4203b603fed041209b49684bc7dcb26331c05461d338a06bde891a
Instruction ID: 5643461955c447aa3e7c3e07ed61d6bcf6bb62529ec538eb7057c4358dda30b2
Opcode Fuzzy Hash: ebb1f9b92a4203b603fed041209b49684bc7dcb26331c05461d338a06bde891a
Instruction Fuzzy Hash: 7B211A70E04319AFDF10AFA9EC59B997FB4FB48B50F08411BE504A67A0D7B90540EF90

Function 007C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,007C316A,?,?), ref: 007C31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,007C316A,?,?), ref: 007C3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007C3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,007C316A,?,?), ref: 007C3232
CreatePopupMenu.USER32 ref: 007C3246
PostQuitMessage.USER32(00000000), ref: 007C3267

Strings

TaskbarCreated, xrefs: 007C322D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 78b99c5b27ee25086aef0511f105719cf9caf982f1eb8feb0968e5eae8c096ff
Instruction ID: 31d86aab01b88ff0ffcd981ba878570e65abad4e90c1351b976ae614db042165
Opcode Fuzzy Hash: 78b99c5b27ee25086aef0511f105719cf9caf982f1eb8feb0968e5eae8c096ff
Instruction Fuzzy Hash: 5541D735248209AFDF152B789D4DFB93B69F705340F0C812EF902C66E1C76D9E40ABA1

Function 007C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007C1459
CoUninitialize.COMBASE ref: 007C14F8
UnregisterHotKey.USER32(?), ref: 007C16DD
DestroyWindow.USER32(?), ref: 008024B9
FreeLibrary.KERNEL32(?), ref: 0080251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0080254B

Strings

close all, xrefs: 007C1454

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b2aebb4ba13d0b64fbf14c45356ac772f5d353aecb4f49684ad272ec2456c5c5
Instruction ID: 4f998ad388822f8d1dce0816f23c7ba0ddc1379386d95f8d8037e256af11762e
Opcode Fuzzy Hash: b2aebb4ba13d0b64fbf14c45356ac772f5d353aecb4f49684ad272ec2456c5c5
Instruction Fuzzy Hash: C7D16931601212CFCB59EF14C899F29F7A4FF05710F5442ADE94AAB292DB35AD22CF94

Function 007C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007C2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007C2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,007C1CAD,?), ref: 007C2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,007C1CAD,?), ref: 007C2CCF

Strings

AutoIt v3, xrefs: 007C2C89, 007C2C8E, 007C2C8F
edit, xrefs: 007C2CAC

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ac1ae4fb455c1bf6644759a41150ef7ae0ae30780858ed2996971231fef3964f
Instruction ID: 122572d6b13ff50bc621053de1057b4ad885caa5a5304f01e7feddc591a9e2ee
Opcode Fuzzy Hash: ac1ae4fb455c1bf6644759a41150ef7ae0ae30780858ed2996971231fef3964f
Instruction Fuzzy Hash: 9FF0DA755443917EEF312727AC0CE772EBDF7CAF51B04005AF904A26A0C6791854EEB0

Function 007C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,007C3B0F,SwapMouseButtons,00000004,?), ref: 007C3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,007C3B0F,SwapMouseButtons,00000004,?), ref: 007C3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,007C3B0F,SwapMouseButtons,00000004,?), ref: 007C3B83

Strings

Control Panel\Mouse, xrefs: 007C3B3E

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9c8030313db181661d32c067842f3f77f430c98c4195f7efd825a160fab383a0
Instruction ID: 18c0af9de58db67b25e2d5d45c0897365addcfb2ec79d1cd9fc069948672e21a
Opcode Fuzzy Hash: 9c8030313db181661d32c067842f3f77f430c98c4195f7efd825a160fab383a0
Instruction Fuzzy Hash: 0D1127B5610208FFDB208FA5DC84EEFBBB8EF04795B10846EB805D7110E235AE409BA0

Function 007C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008033A2

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 007C3A04

Strings

Line: , xrefs: 008033EB

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 84f5e8b7b21fd016098f406569e852df9d46c5680bff2d3bc8bfbb966c4f3841
Instruction ID: 8819eea696ff22caa13f904329a7335340c7115a082d19f31f2670af5a0d4ec2
Opcode Fuzzy Hash: 84f5e8b7b21fd016098f406569e852df9d46c5680bff2d3bc8bfbb966c4f3841
Instruction Fuzzy Hash: 6A31C271408301AAD721EB20DC49FEBB7ECBB44714F04892EF59992291DB7CAA48C7C2

Function 007DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 007E0668

Part of subcall function 007E32A4: RaiseException.KERNEL32(?,?,?,007E068A,?,00891444,?,?,?,?,?,?,007E068A,007C1129,00888738,007C1129), ref: 007E3304

__CxxThrowException@8.LIBVCRUNTIME ref: 007E0685

Strings

Unknown exception, xrefs: 007E0692

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: cb7dc485e4ac6d2a84ab472da3d80964c3790ab872589f39802b8d14ab389d3e
Instruction ID: 8c0d27525c9208a91f4cb87982e1bd4ab32a0219edb697a197c4835dd280a50a
Opcode Fuzzy Hash: cb7dc485e4ac6d2a84ab472da3d80964c3790ab872589f39802b8d14ab389d3e
Instruction Fuzzy Hash: 58F04C3490128DF3CF00B676D84ED5E777DAE04310BA04431F924D6691EFB8DA65C6C0

Function 007C10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007C1BF4
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 007C1BFC
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007C1C07
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007C1C12
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 007C1C1A
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 007C1C22

Part of subcall function 007C1B4A: RegisterWindowMessageW.USER32(00000004,?,007C12C4), ref: 007C1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007C136A
OleInitialize.OLE32 ref: 007C1388
CloseHandle.KERNEL32(00000000,00000000), ref: 008024AB

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 499cd24c498cf5d77826c36c65fd7e1f064f14f8dd6c00caea352d4b5c361015
Instruction ID: edd2bf79495671fb66d00451c9b4c2c1d9e87d2ccf29af1dd76bae969a3e2a5c
Opcode Fuzzy Hash: 499cd24c498cf5d77826c36c65fd7e1f064f14f8dd6c00caea352d4b5c361015
Instruction Fuzzy Hash: 2071B7B49193028ECF85FFB9A94DA583BE1FB8834434E822FE51AD7261EB344409CF44

Function 0082C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 007C3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0082C259
KillTimer.USER32(?,00000001,?,?), ref: 0082C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0082C270

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: d64261078a4e7a28319c9a55ccaaa8fecfe6288aad84b393e87eaac669ee3dec
Instruction ID: 90265bcce6bb69ab53b9089bcb97b98ca8863010e20bd2a0faa0dc00f7226b7c
Opcode Fuzzy Hash: d64261078a4e7a28319c9a55ccaaa8fecfe6288aad84b393e87eaac669ee3dec
Instruction Fuzzy Hash: 0D318170904364AFEB22DF649859BEABBECFB06348F04049EE59A97241C7745AC4CB51

Function 007F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007F85CC,?,00888CC8,0000000C), ref: 007F8704
GetLastError.KERNEL32(?,007F85CC,?,00888CC8,0000000C), ref: 007F870E
__dosmaperr.LIBCMT ref: 007F8739

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 667951fa9933c60d698ac04c79d75b9f40f78a9bbbb3a8944b0eb03e8913a3c3
Instruction ID: 3073a3774a925ade5aefb2766007471988db13c6d119924614a4fd1bfc997411
Opcode Fuzzy Hash: 667951fa9933c60d698ac04c79d75b9f40f78a9bbbb3a8944b0eb03e8913a3c3
Instruction Fuzzy Hash: EE016B33605A285AC2A07338A84D77E67894F8277DF390119FB14CB3D3DEAC8C818152

Function 007CDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 007CDB7B
DispatchMessageW.USER32(?), ref: 007CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007CDB9F
Sleep.KERNELBASE(0000000A), ref: 007CDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00811CC9

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: d0a3abb7f2ae800e065eaec97dff88ba03f8affb39ba99cb593b5ddebde3955a
Instruction ID: ce39da49538eed6a1e4c0c3260778b80f5721bc8a6948438ed6a4007645baa28
Opcode Fuzzy Hash: d0a3abb7f2ae800e065eaec97dff88ba03f8affb39ba99cb593b5ddebde3955a
Instruction Fuzzy Hash: 5CF03A306443419BEB309BA08C89FEA73ACFB88311F10452DE61AD34C0EB3898889B25

Function 007D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007D17F6

Strings

CALL, xrefs: 007D17C6

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 385383cff1c7d071215948e69c4588cefe1364e21ceb71d10cb2f09bfba56922
Instruction ID: 170eba3241e4f5feeab7120dc3ac26264de3484d04bde3e3363a1f885dac8afc
Opcode Fuzzy Hash: 385383cff1c7d071215948e69c4588cefe1364e21ceb71d10cb2f09bfba56922
Instruction Fuzzy Hash: 7922AB70608201EFC714DF14C484A6ABBF5FF89314F58896EF4968B362D739E895CB92

Function 007C2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00802C8C

Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2

Part of subcall function 007C2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007C2DC4

Strings

X, xrefs: 00802C5A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 902106a640404c79010464c2a8bb312ccd1105ec009c06759e710b0494889a09
Instruction ID: fa452d79c9dba659df2e595aaf3ebfa4c20333e94f5233a1134bfe637bbecf50
Opcode Fuzzy Hash: 902106a640404c79010464c2a8bb312ccd1105ec009c06759e710b0494889a09
Instruction Fuzzy Hash: 13218171A002989ADB41EF94C849BEE7BB8AF48314F00805DE505EB281DBB85A498FA1

Function 007C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 007C3908

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 7f21de7a6f84db892d43aee2e7d7458d3bdea957303dc97c8a4e132ac5862551
Instruction ID: 2911a6f6d5dcfe648347823d47dcbb842dc7815cc925c37a7e28ecda6d1ec9ca
Opcode Fuzzy Hash: 7f21de7a6f84db892d43aee2e7d7458d3bdea957303dc97c8a4e132ac5862551
Instruction Fuzzy Hash: 1E314C705047019FD721EF24D889B97BBF8FB49708F04096EF59987250E779AA44CB52

Function 007DF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007DF661

Part of subcall function 007CD730: GetInputState.USER32 ref: 007CD807

Sleep.KERNEL32(00000000), ref: 0081F2DE

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 734c4b13198cbf96e9b7ded096ff028a6d410cb36a9a5d29d52ffc0c004a41c6
Instruction ID: 180218724ca8111419349a8843516e246e0598eb8315662d20b49594ae0c82bd
Opcode Fuzzy Hash: 734c4b13198cbf96e9b7ded096ff028a6d410cb36a9a5d29d52ffc0c004a41c6
Instruction Fuzzy Hash: 32F058312407059FD310EB69E44AF6ABBE8FF59761F00002EE85AC7361DB74A8008B90

Function 007C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E9C
Part of subcall function 007C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007C4EAE
Part of subcall function 007C4E90: FreeLibrary.KERNEL32(00000000,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4EFD

Part of subcall function 007C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E62
Part of subcall function 007C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007C4E74
Part of subcall function 007C4E59: FreeLibrary.KERNEL32(00000000,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E87

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ded36f688c4f8f721d340c7ea0670173cb23ac468248f9ad9572c1f4d52b869e
Instruction ID: 2ef5f14424b6eed17ece98477c23933e679b092b49d5cdd0444040d6d73d00d4
Opcode Fuzzy Hash: ded36f688c4f8f721d340c7ea0670173cb23ac468248f9ad9572c1f4d52b869e
Instruction Fuzzy Hash: 8D112332600305EADB10EB60DC2AFAD77A5AF40710F10842DF442E61C1EEB9AA449B90

Function 007F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 007F8440

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: cb488dd69ccc24184284455ac54777f00ae5d3461d38e1c4dfeef1f1dd264e29
Instruction ID: 0c977caf22b3412f986230ffa549b95e20432214a39e06f3dc072f595c170273
Opcode Fuzzy Hash: cb488dd69ccc24184284455ac54777f00ae5d3461d38e1c4dfeef1f1dd264e29
Instruction Fuzzy Hash: 5911187590410EAFCB05DF58E9419AE7BF5FF48314F144059F908AB312DB31DA11CBA5

Function 007F5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007F4C7D: RtlAllocateHeap.NTDLL(00000008,007C1129,00000000,?,007F2E29,00000001,00000364,?,?,?,007EF2DE,007F3863,00891444,?,007DFDF5,?), ref: 007F4CBE

_free.LIBCMT ref: 007F506C

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: ba38c55ac3fada6e37a7d3ec0eafe6643e8c0bc8fae4fbd97e5de66e4a74c5d6
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 2C012B722047099BE3218E65D84596AFBE8FB85370F25061DE39493380EA746805C674

Function 007EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 45546a8bc570fe10392127206bba3d3268b3180ec5b887669ee8dfe662f4a0f5
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: EEF0F932512A54D7C6313B679C09B6A33989F56334F100B15F620932D2DB7CE80285A6

Function 007F4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,007C1129,00000000,?,007F2E29,00000001,00000364,?,?,?,007EF2DE,007F3863,00891444,?,007DFDF5,?), ref: 007F4CBE

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3ed0fe2f1a8d504cfe9ca27f9275659856b04b82bc9493704d2023dee4e8bcc8
Instruction ID: 6df06311c4233ec7343dbae97c2df84300886395dd60f1ef166fb22b967de2e6
Opcode Fuzzy Hash: 3ed0fe2f1a8d504cfe9ca27f9275659856b04b82bc9493704d2023dee4e8bcc8
Instruction Fuzzy Hash: 58F0B432607268A7DB215F66AC09B7B3798BF417A1B186112BB15A7381DA3CD800D6B0

Function 007F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 25af23fe168060a7cdc5fa170f32f329af7bbf25080e5fe4683ea8483bc26ef9
Instruction ID: a4fd2732631dac0ff22c91ca100ef3f7b04b8b3c6f3ae6e853b2fbbc473c8a9e
Opcode Fuzzy Hash: 25af23fe168060a7cdc5fa170f32f329af7bbf25080e5fe4683ea8483bc26ef9
Instruction Fuzzy Hash: B2E0E53210526CEAE62126779D08BBA3648AB42BF0F090022BE0592780DB1DDD0191F0

Function 007C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4F6D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b8691accf1d7ea1b06a1508f3081c44fa4728977a5553eb638d82116deb31764
Instruction ID: 5fbd48d89e97c6e2f76f7da1b9427d0e72e52ad64ac658987b502e8432390a92
Opcode Fuzzy Hash: b8691accf1d7ea1b06a1508f3081c44fa4728977a5553eb638d82116deb31764
Instruction Fuzzy Hash: ACF03971105B52CFDB349F64D4A4E22BBE4BF14329328897EE1EA82621CB399844DF10

Function 00852A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00852A66

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: d2e6787ddb45ccacea308ceb59f47ce051da3de4cc905e57492b19e795ddb671
Instruction ID: de6812173c7ec8725bdb04b63d4f2e85d5204d93a227653657769a399c795eaa
Opcode Fuzzy Hash: d2e6787ddb45ccacea308ceb59f47ce051da3de4cc905e57492b19e795ddb671
Instruction Fuzzy Hash: 88E04F3635423AAAC714EA34EC809FA775CFB56396B10453AEC16C2140DF349A9986E0

Function 007C30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 007C314E

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 382c2de8c37115acc524bd4da63a7b6d82d97c8a0a86726d2d96e1ba43ba1f46
Instruction ID: 448296bf4cda5e492e3ca48c42b4a0ebed6dda9e82b60d2a6aa53651e3116621
Opcode Fuzzy Hash: 382c2de8c37115acc524bd4da63a7b6d82d97c8a0a86726d2d96e1ba43ba1f46
Instruction Fuzzy Hash: 48F0A7709043089FEB52AB24DC4ABD57BBCB70170CF0401EAA14896282D7784B88CF41

Function 007C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007C2DC4

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 89dc7052873e29eab298e13f37f4ab690df68fc700b3b6f44faf7901f0a8ea50
Instruction ID: 4debc470f996a3e11a30a9bd83078f4ffbda616f3686f6456bd38a8e89e70e07
Opcode Fuzzy Hash: 89dc7052873e29eab298e13f37f4ab690df68fc700b3b6f44faf7901f0a8ea50
Instruction Fuzzy Hash: 07E0CD726002245BCB10D6589C09FDA77DDEFC8790F040075FD09E7248DE64AD808551

Function 007C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007C3908

Part of subcall function 007CD730: GetInputState.USER32 ref: 007CD807

SetCurrentDirectoryW.KERNEL32(?), ref: 007C2B6B

Part of subcall function 007C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 007C314E

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 6de7b577e93e6ac5bd2bb98e46027c7138a5dd0087346b0ba9e13a36d6074cf2
Instruction ID: 68e163206d2bfc5a02e74e6600c579bcb78b9f39c1e7479f58926ab4ad24cbc1
Opcode Fuzzy Hash: 6de7b577e93e6ac5bd2bb98e46027c7138a5dd0087346b0ba9e13a36d6074cf2
Instruction Fuzzy Hash: D2E0262230430486CE04BB70985EFBDB38AABD5311F00443EF14383163CE2C898A4351

Function 0080039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00800704,?,?,00000000,?,00800704,00000000,0000000C), ref: 008003B7

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d2eb18a98d635a953a0ed2615c65e600c1168331c8264732a9e76fbd7bfa57ac
Instruction ID: 5d050a0c656f8ed9a8026c00e2989806ecdb4d961cbd6743bfefc38030d6a30f
Opcode Fuzzy Hash: d2eb18a98d635a953a0ed2615c65e600c1168331c8264732a9e76fbd7bfa57ac
Instruction Fuzzy Hash: D5D06C3204020DBFDF028F84DD06EDA3BAAFB48714F014040BE1856020C736E821AB90

Function 007C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 007C1CBC

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 7247f474cee23eaaaf44ee1b64d6a6effc902ddcffec0a35d9e4a20e29bc3c98
Instruction ID: ad29ef87f67f7163155c2409e449ff87e6ac1f62e69bf18863f76f80ede139d5
Opcode Fuzzy Hash: 7247f474cee23eaaaf44ee1b64d6a6effc902ddcffec0a35d9e4a20e29bc3c98
Instruction Fuzzy Hash: DAC0923A280305AFF614ABD0BC4EF107764B348B01F488002F60DA96E3D3B62820EA50

Non-executed Functions

Function 00859576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0085961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0085965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0085969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008596C9
SendMessageW.USER32 ref: 008596F2
GetKeyState.USER32(00000011), ref: 0085978B
GetKeyState.USER32(00000009), ref: 00859798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008597AE
GetKeyState.USER32(00000010), ref: 008597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008597E9
SendMessageW.USER32 ref: 00859810
SendMessageW.USER32(?,00001030,?,00857E95), ref: 00859918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0085992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00859941
SetCapture.USER32(?), ref: 0085994A
ClientToScreen.USER32(?,?), ref: 008599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008599D6
ReleaseCapture.USER32 ref: 008599E1
GetCursorPos.USER32(?), ref: 00859A19
ScreenToClient.USER32(?,?), ref: 00859A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00859A80
SendMessageW.USER32 ref: 00859AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00859AEB
SendMessageW.USER32 ref: 00859B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00859B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00859B4A
GetCursorPos.USER32(?), ref: 00859B68
ScreenToClient.USER32(?,?), ref: 00859B75
GetParent.USER32(?), ref: 00859B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00859BFA
SendMessageW.USER32 ref: 00859C2B
ClientToScreen.USER32(?,?), ref: 00859C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00859CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00859CDE
SendMessageW.USER32 ref: 00859D01
ClientToScreen.USER32(?,?), ref: 00859D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00859D82

Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952

GetWindowLongW.USER32(?,000000F0), ref: 00859E05

Strings

@GUI_DRAGID, xrefs: 0085997D
F, xrefs: 00859D07

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: e2fc6c36f30d0f4fd7dddbf76f09c9b018e2cfb7dd94b104ec40b2de4a91bd53
Instruction ID: 7495d863705b04013d9cd65f269129a0830b2da7067333c66d2fa462d714347d
Opcode Fuzzy Hash: e2fc6c36f30d0f4fd7dddbf76f09c9b018e2cfb7dd94b104ec40b2de4a91bd53
Instruction Fuzzy Hash: 9C428A34204301EFDB21CF64C948AAABBE5FF58356F14061EFA99C72A1E731A958DF41

Function 00854873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00854908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00854927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0085494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0085495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0085497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00854A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00854A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00854A7E
IsMenu.USER32(?), ref: 00854A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00854AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00854B20
GetWindowLongW.USER32(?,000000F0), ref: 00854B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00854BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00854C82
wsprintfW.USER32 ref: 00854CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00854CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00854CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00854D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00854D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00854D5A

Strings

%d/%02d/%02d, xrefs: 00854CA8

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 5aca86e856e739aa60838705444a51f550d29dedfa2dc154f4d6ea297bcdb190
Instruction ID: d1f01ec65d889646e4bbe05b457d179a2dfe5ac21c69df3b6d093944e8465031
Opcode Fuzzy Hash: 5aca86e856e739aa60838705444a51f550d29dedfa2dc154f4d6ea297bcdb190
Instruction Fuzzy Hash: BB12D271500318AFEB258F28CC49FAE7BF4FF45319F105119F916EA2A1DB789989CB50

Function 007DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 007DF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0081F474
IsIconic.USER32(00000000), ref: 0081F47D
ShowWindow.USER32(00000000,00000009), ref: 0081F48A
SetForegroundWindow.USER32(00000000), ref: 0081F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0081F4AA
GetCurrentThreadId.KERNEL32 ref: 0081F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0081F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0081F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0081F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0081F4DE
SetForegroundWindow.USER32(00000000), ref: 0081F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F4F6
keybd_event.USER32(00000012,00000000), ref: 0081F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F50B
keybd_event.USER32(00000012,00000000), ref: 0081F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F519
keybd_event.USER32(00000012,00000000), ref: 0081F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F528
keybd_event.USER32(00000012,00000000), ref: 0081F52D
SetForegroundWindow.USER32(00000000), ref: 0081F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0081F557

Strings

Shell_TrayWnd, xrefs: 0081F46F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: adc3e80ab14f2537985b3e29ef81caf63afa988af821e34e49eef7232a3576e0
Instruction ID: 4788ae02cdb41e003dd86e4f6a54a942c696b004a71c4ba8466ccbb75e742ea2
Opcode Fuzzy Hash: adc3e80ab14f2537985b3e29ef81caf63afa988af821e34e49eef7232a3576e0
Instruction Fuzzy Hash: 74315D71A40318BFEB216BB55C4AFBF7EADFB44B51F10006AFA01E61D1D6B45940AEA0

Function 00821201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082170D
Part of subcall function 008216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0082173A
Part of subcall function 008216C3: GetLastError.KERNEL32 ref: 0082174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00821286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008212A8
CloseHandle.KERNEL32(?), ref: 008212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008212D1
GetProcessWindowStation.USER32 ref: 008212EA
SetProcessWindowStation.USER32(00000000), ref: 008212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00821310

Part of subcall function 008210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008211FC), ref: 008210D4
Part of subcall function 008210BF: CloseHandle.KERNEL32(?,?,008211FC), ref: 008210E9

Strings

, xrefs: 0082125A
default, xrefs: 0082130B
winsta0, xrefs: 008212CC

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 38eb20f8d15d5330588da5380a70eb6a9b1c534a9bb3c081e33cb9eebc056f4c
Instruction ID: 189d737593fb3265f54c5bf4c5e4f8c9a02d118bdda8bc135b7505aaa275f402
Opcode Fuzzy Hash: 38eb20f8d15d5330588da5380a70eb6a9b1c534a9bb3c081e33cb9eebc056f4c
Instruction Fuzzy Hash: 93818C71900318AFDF109FA4EC89BEE7BBAFF14704F244129F915E61A0C7358A84CB65

Function 00820B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00821114
Part of subcall function 008210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821120
Part of subcall function 008210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 0082112F
Part of subcall function 008210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821136
Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00820BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00820C00
GetLengthSid.ADVAPI32(?), ref: 00820C17
GetAce.ADVAPI32(?,00000000,?), ref: 00820C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00820C6D
GetLengthSid.ADVAPI32(?), ref: 00820C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00820C8C
HeapAlloc.KERNEL32(00000000), ref: 00820C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00820CB4
CopySid.ADVAPI32(00000000), ref: 00820CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00820CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00820D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00820D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820D45
HeapFree.KERNEL32(00000000), ref: 00820D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820D55
HeapFree.KERNEL32(00000000), ref: 00820D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820D65
HeapFree.KERNEL32(00000000), ref: 00820D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00820D78
HeapFree.KERNEL32(00000000), ref: 00820D7F

Part of subcall function 00821193: GetProcessHeap.KERNEL32(00000008,00820BB1,?,00000000,?,00820BB1,?), ref: 008211A1
Part of subcall function 00821193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00820BB1,?), ref: 008211A8
Part of subcall function 00821193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00820BB1,?), ref: 008211B7

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d54d874cb22441d75da3f9d84193c316e3ba45def43ab320dd0fb61cc4c78d87
Instruction ID: 641ec00acecd121221b228d8797cec1371a6dd794b0a548683ee64548230cec5
Opcode Fuzzy Hash: d54d874cb22441d75da3f9d84193c316e3ba45def43ab320dd0fb61cc4c78d87
Instruction Fuzzy Hash: E671597290131AAFEF10DFA4EC48BAEBBB8FF04311F144615E914E6292D775AA45CF60

Function 0083EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0085CC08), ref: 0083EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0083EB37
GetClipboardData.USER32(0000000D), ref: 0083EB43
CloseClipboard.USER32 ref: 0083EB4F
GlobalLock.KERNEL32(00000000), ref: 0083EB87
CloseClipboard.USER32 ref: 0083EB91
GlobalUnlock.KERNEL32(00000000), ref: 0083EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0083EBC9
GetClipboardData.USER32(00000001), ref: 0083EBD1
GlobalLock.KERNEL32(00000000), ref: 0083EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0083EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0083EC38
GetClipboardData.USER32(0000000F), ref: 0083EC44
GlobalLock.KERNEL32(00000000), ref: 0083EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0083EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0083EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0083ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0083ECF3
CountClipboardFormats.USER32 ref: 0083ED14
CloseClipboard.USER32 ref: 0083ED59

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 36abdb4d2a39b6330269198a73a9f2e54dc725056de46f732a980c56ef7416bb
Instruction ID: e53a546f8c9999e7fcb6413386186fc18c786240257333908dad08d23a8e1097
Opcode Fuzzy Hash: 36abdb4d2a39b6330269198a73a9f2e54dc725056de46f732a980c56ef7416bb
Instruction Fuzzy Hash: B6618734204305AFD310EF24D899F6AB7A4FB84715F14455DF856EB2E2CB39E906CBA2

Function 0083698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008369BE
FindClose.KERNEL32(00000000), ref: 00836A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00836A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00836A75

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00836AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00836ADF

Strings

%4d, xrefs: 00836BB1
%02d, xrefs: 00836C00, 00836C0A, 00836C5A, 00836CAA, 00836CFA, 00836D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00836B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00836B32
%03d, xrefs: 00836DA2

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 63611f617388664a2a8f7d1aa471fe835d2ce0f3f2a01d8cb9ebf50e6612b545
Instruction ID: 13a79d0c0e8ede26f898829a0e932fa5790bc2b96aec77f9a5c52a65340df2e5
Opcode Fuzzy Hash: 63611f617388664a2a8f7d1aa471fe835d2ce0f3f2a01d8cb9ebf50e6612b545
Instruction Fuzzy Hash: 86D14072508344AEC314EBA4C889EABB7ECFF88704F04491DF585D7291EB78DA44CB62

Function 00839642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00839663
GetFileAttributesW.KERNEL32(?), ref: 008396A1
SetFileAttributesW.KERNEL32(?,?), ref: 008396BB
FindNextFileW.KERNEL32(00000000,?), ref: 008396D3
FindClose.KERNEL32(00000000), ref: 008396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0083974A
SetCurrentDirectoryW.KERNEL32(00886B7C), ref: 00839768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00839772
FindClose.KERNEL32(00000000), ref: 0083977F
FindClose.KERNEL32(00000000), ref: 0083978F

Strings

*.*, xrefs: 008396F5

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 421aa47c148791589dc627f242d3916e2e33d2fd84a34e030788c84d137eb0da
Instruction ID: 8c1203cdcf71c2b285037030e75e581a967151d7c819585205e83cd7fd5d188b
Opcode Fuzzy Hash: 421aa47c148791589dc627f242d3916e2e33d2fd84a34e030788c84d137eb0da
Instruction Fuzzy Hash: 2E31DF3264131AAEDB10AFB4DC49ADE37ACFF89321F104055E955E21A0EBB8DE448E90

Function 0083979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00839819
FindClose.KERNEL32(00000000), ref: 00839824
FindFirstFileW.KERNEL32(*.*,?), ref: 00839840
SetCurrentDirectoryW.KERNEL32(?), ref: 00839890
SetCurrentDirectoryW.KERNEL32(00886B7C), ref: 008398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008398B8
FindClose.KERNEL32(00000000), ref: 008398C5
FindClose.KERNEL32(00000000), ref: 008398D5

Part of subcall function 0082DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0082DB00

Strings

*.*, xrefs: 0083983B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 6f1178124a721a8f52b334c02247c60d2dafa025c82928853da0e31eff09bea3
Instruction ID: 449ec07277ee5a4cdeea5c1978d4eee385714cd02eadaa958147d32036fdcebf
Opcode Fuzzy Hash: 6f1178124a721a8f52b334c02247c60d2dafa025c82928853da0e31eff09bea3
Instruction Fuzzy Hash: 3231B33150131D6EDB10AFA4DC48ADE77ACFF86325F104165E990E21A0DBB9DD44CFA0

Function 0084BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0084BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0084BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0084C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0084C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0084C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0084C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0084C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0084C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0084C382
RegCloseKey.ADVAPI32(00000000), ref: 0084C38F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 20ced3a6e73bb40bc648a88a89c6f718d2b4a4ff3a44881fba339c8c78f30482
Instruction ID: 260a4fde1eb0085a46b46a62e372c514a7acb92afa9703b00995423552b7a087
Opcode Fuzzy Hash: 20ced3a6e73bb40bc648a88a89c6f718d2b4a4ff3a44881fba339c8c78f30482
Instruction Fuzzy Hash: 3C023B71604204DFC754DF24C895E2ABBE9FF89318F18849DE84ACB2A2DB35EC45CB51

Function 00838195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00838257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00838267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00838273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00838310
SetCurrentDirectoryW.KERNEL32(?), ref: 00838324
SetCurrentDirectoryW.KERNEL32(?), ref: 00838356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0083838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00838395

Strings

*.*, xrefs: 0083839B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 03f29ab38121bcebfaffb890135444379567170c65a41e80f9e8d763868ce2c4
Instruction ID: 80521cf6fc8dd3a4c1a98dc36ca99412a0248162cc372135e43c3ebea490ea4e
Opcode Fuzzy Hash: 03f29ab38121bcebfaffb890135444379567170c65a41e80f9e8d763868ce2c4
Instruction Fuzzy Hash: 336145725043459FCB10EF64D845AAEB3E8FF89314F04892EF989C7251EB39E945CB92

Function 0082D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2

Part of subcall function 0082E199: GetFileAttributesW.KERNEL32(?,0082CF95), ref: 0082E19A

FindFirstFileW.KERNEL32(?,?), ref: 0082D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0082D1DD
MoveFileW.KERNEL32(?,?), ref: 0082D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0082D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0082D237

Part of subcall function 0082D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0082D21C,?,?), ref: 0082D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0082D253
FindClose.KERNEL32(00000000), ref: 0082D264

Strings

\*.*, xrefs: 0082D0CD, 0082D0D6, 0082D0EB

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 24186872c4590a091d124eb0753dd35f15ebdf2670069b5f3f7c20ca383c5d27
Instruction ID: 9fe4b491271b290dcad34dc5d42572d1cca295e1e6d1081bed61c7cd83211849
Opcode Fuzzy Hash: 24186872c4590a091d124eb0753dd35f15ebdf2670069b5f3f7c20ca383c5d27
Instruction Fuzzy Hash: E4613B3180121DEACF05EBA0E956EEDBBB5FF15305F208169E401B7191EB35AF49CB61

Function 0083ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0083ED91
EmptyClipboard.USER32 ref: 0083ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0083EDAC
CloseClipboard.USER32 ref: 0083EEA3

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 0e7c19d3b466dbeadc6d753668fcd6fbda10d6c330901570fb48b6f1e5d26c76
Instruction ID: fb1518ab664c1fdc34a772a98ec5f27192b69b53bafff1a7ba1903821226887f
Opcode Fuzzy Hash: 0e7c19d3b466dbeadc6d753668fcd6fbda10d6c330901570fb48b6f1e5d26c76
Instruction Fuzzy Hash: D5415A35604611AFE721DF19D888B2ABBE5FF84319F14809DE4198B6A2C779ED42CBD0

Function 0082E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082170D
Part of subcall function 008216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0082173A
Part of subcall function 008216C3: GetLastError.KERNEL32 ref: 0082174A

ExitWindowsEx.USER32(?,00000000), ref: 0082E932

Strings

SeShutdownPrivilege, xrefs: 0082E902
, xrefs: 0082E920
@, xrefs: 0082E925
, xrefs: 0082E95C

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8dcf975e2b9081bf01cfdfed69f9e263a867fd40f78e9c567a917a2081925c78
Instruction ID: 5071fd7efcbfa037d2953aaceb0d7643c6aeea112462caad5b8c042c399538a1
Opcode Fuzzy Hash: 8dcf975e2b9081bf01cfdfed69f9e263a867fd40f78e9c567a917a2081925c78
Instruction Fuzzy Hash: E8012672610334AFEF1426B8BC8ABBF765CF714745F150423FC12E21D1E6A45CC08698

Function 00841204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00841276
WSAGetLastError.WSOCK32 ref: 00841283
bind.WSOCK32(00000000,?,00000010), ref: 008412BA
WSAGetLastError.WSOCK32 ref: 008412C5
closesocket.WSOCK32(00000000), ref: 008412F4
listen.WSOCK32(00000000,00000005), ref: 00841303
WSAGetLastError.WSOCK32 ref: 0084130D
closesocket.WSOCK32(00000000), ref: 0084133C

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 9472d9678ec0d39e0cc8d7a695e916621de3202bd08b681fa75d9848e943e7ff
Instruction ID: e31c1f9b46b11e0b3bc09208e31a0e3681fe6d348abf86600727df05a71ed020
Opcode Fuzzy Hash: 9472d9678ec0d39e0cc8d7a695e916621de3202bd08b681fa75d9848e943e7ff
Instruction Fuzzy Hash: 0F416C316002149FDB10DF64C488B2ABBE5FF46319F18819CE856CB392C775EC81CBA1

Function 0082D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2

Part of subcall function 0082E199: GetFileAttributesW.KERNEL32(?,0082CF95), ref: 0082E19A

FindFirstFileW.KERNEL32(?,?), ref: 0082D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0082D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0082D481
FindClose.KERNEL32(00000000), ref: 0082D498
FindClose.KERNEL32(00000000), ref: 0082D4A1

Strings

\*.*, xrefs: 0082D3F2

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f080ed14bcdcb35b92ca70182a4d171dba9eec06ea348799033a864e714e2559
Instruction ID: 615641e02b6d5943bc765685a787c11ed9b49c04e975da90cbdd587b567bf55b
Opcode Fuzzy Hash: f080ed14bcdcb35b92ca70182a4d171dba9eec06ea348799033a864e714e2559
Instruction Fuzzy Hash: E9318D31008355AFC200EF64D89ADAFBBE8FE91305F404A1DF4D593191EB38AA098B67

Function 007FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 007FE645

Strings

1#INF, xrefs: 007FF852
1#SNAN, xrefs: 007FF844
1#IND, xrefs: 007FF83D
1#QNAN, xrefs: 007FF84B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c5deeb7c77019a7774bbe88b8a3b5b5c4587b165bb169d06e2f2a11e16b92876
Instruction ID: 5969104409e1c4813c0d08e527fed1c62a003be1c4700c6778469268557cdac6
Opcode Fuzzy Hash: c5deeb7c77019a7774bbe88b8a3b5b5c4587b165bb169d06e2f2a11e16b92876
Instruction Fuzzy Hash: E9C23972E0862C8FDB25DE289D447EAB7B5EF48304F1441EAD54DE7251EB78AE818F40

Function 0083648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008364DC
CoInitialize.OLE32(00000000), ref: 00836639
CoCreateInstance.OLE32(0085FCF8,00000000,00000001,0085FB68,?), ref: 00836650
CoUninitialize.OLE32 ref: 008368D4

Strings

.lnk, xrefs: 008364BA, 00836524, 008365E0

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 82dc1d7d0d5d69a94595fe6ed57ca5565697ca02c35e80f0e59637992db5096a
Instruction ID: 7884699bc9dbb1309ca1fcbc40d1f855f8448ad8baa7ef460a9ca958ba153c3f
Opcode Fuzzy Hash: 82dc1d7d0d5d69a94595fe6ed57ca5565697ca02c35e80f0e59637992db5096a
Instruction Fuzzy Hash: 40D13971508201AFC314EF24C885E6BB7E8FF98704F14896DF595CB291EB74E945CBA2

Function 008422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008422E8

Part of subcall function 0083E4EC: GetWindowRect.USER32(?,?), ref: 0083E504

GetDesktopWindow.USER32 ref: 00842312
GetWindowRect.USER32(00000000), ref: 00842319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00842355
GetCursorPos.USER32(?), ref: 00842381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008423DF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: dd9985e5f5a9c662794e70c46682f5fa83c8b5e0c6fbeb9c4fe3f70b4ae4e12e
Instruction ID: 810de2bb071db58134cd9a79b7a1d84c68972a2eb8331a1207d564cb2832a679
Opcode Fuzzy Hash: dd9985e5f5a9c662794e70c46682f5fa83c8b5e0c6fbeb9c4fe3f70b4ae4e12e
Instruction Fuzzy Hash: 2031DE72508319AFC720DF58D849B5BBBA9FF88314F400919F985D7291DB34EA48CB96

Function 00839B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00839B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00839C8B

Part of subcall function 00833874: GetInputState.USER32 ref: 008338CB
Part of subcall function 00833874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00833966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00839BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00839C75

Strings

*.*, xrefs: 00839B5D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 56b5ef8e84294f5d511796ba9384d546c47c1ad99c760b3d7a06fa023f13132d
Instruction ID: 69db7511985cfd3faa8176fa24c7d23496105801718cfbc4fbe21910bf6d2b42
Opcode Fuzzy Hash: 56b5ef8e84294f5d511796ba9384d546c47c1ad99c760b3d7a06fa023f13132d
Instruction Fuzzy Hash: 1041607190420A9FCF14DF64C889AEEBBB8FF45311F144159E855E2191EB749E85CFA0

Function 007D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 007D9A4E
GetSysColor.USER32(0000000F), ref: 007D9B23
SetBkColor.GDI32(?,00000000), ref: 007D9B36

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 9a1fc3f79f46ad1b95f674a0a4bbb3676a9e2d975e24e7bf8a9a3190ed163666
Instruction ID: 1b73b3625ebed584ce1ae6604f681e1587e7f5820f09ef493e7543b32790ef7d
Opcode Fuzzy Hash: 9a1fc3f79f46ad1b95f674a0a4bbb3676a9e2d975e24e7bf8a9a3190ed163666
Instruction Fuzzy Hash: 26A1F871208544FEE725AA2C8C5DDBB2ABDFF82340F19421FF602D67D1DA299D41D272

Function 00841806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0084304E: inet_addr.WSOCK32(?), ref: 0084307A
Part of subcall function 0084304E: _wcslen.LIBCMT ref: 0084309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0084185D
WSAGetLastError.WSOCK32 ref: 00841884
bind.WSOCK32(00000000,?,00000010), ref: 008418DB
WSAGetLastError.WSOCK32 ref: 008418E6
closesocket.WSOCK32(00000000), ref: 00841915

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: a85dc9b2d2efb2be5bea299e1687def5d80fa6576a38b8651a1e72d8afbe4b87
Instruction ID: 61198057010e9236d6574a5c344dcb625fd313f0edb6d14203b91329a2a66c33
Opcode Fuzzy Hash: a85dc9b2d2efb2be5bea299e1687def5d80fa6576a38b8651a1e72d8afbe4b87
Instruction Fuzzy Hash: 1951A271A00214AFDB10AF24C88AF2A7BE5EB45718F08805CF9069F3D3CB75AD41CBA1

Function 00851C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00851CC0
IsWindowEnabled.USER32 ref: 00851CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00851CDB
IsIconic.USER32 ref: 00851CE9
IsZoomed.USER32 ref: 00851CF7

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 943507f425d83afabc4d8a3012258e0015fc7d8f8b2ef89278f18bef483b11bc
Instruction ID: a2c8ba8d8b7389793ea3d61c618eb7c2403768451809dc1f898e63d3d1324611
Opcode Fuzzy Hash: 943507f425d83afabc4d8a3012258e0015fc7d8f8b2ef89278f18bef483b11bc
Instruction Fuzzy Hash: 3B2180317402119FDB218F1AC888F6A7BA5FF95316B19805CEC4ACB351DB76ED46CB90

Function 007C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 007C83FA
VUUU, xrefs: 00805DF0
ERCP, xrefs: 007C813C
VUUU, xrefs: 007C83E8
VUUU, xrefs: 007C843C

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d5db4372e0aee6701f3b6b3dd530d48b965a06d5988562dca25ebcf03d5abf77
Instruction ID: 855aa1bd3fe9e0a5295425c7cbfc0bcbb782bcc33d7bb17cdbd45d181824176f
Opcode Fuzzy Hash: d5db4372e0aee6701f3b6b3dd530d48b965a06d5988562dca25ebcf03d5abf77
Instruction Fuzzy Hash: 23A26D70A0061ACBDFA4CF58C844BAEB7B1FB54310F2481AED815E7285EB749D91CF91

Function 0082AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0082AAAC
SetKeyboardState.USER32(00000080), ref: 0082AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0082AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0082AB88

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7961dd6c03edbb8bbcabffe87d8a2aaec5cc53b7caf6bcd33daf9b3c5cfc52c7
Instruction ID: a02fd9947cc954108be2aa766d480f81aafd8a272a73d776fd8b9a39641ec691
Opcode Fuzzy Hash: 7961dd6c03edbb8bbcabffe87d8a2aaec5cc53b7caf6bcd33daf9b3c5cfc52c7
Instruction Fuzzy Hash: C031E574A40368AFEB398A68AC05BFA7BA6FF54330F04421AE581D61D1D37589C5CB62

Function 007FBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007FBB7F

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

GetTimeZoneInformation.KERNEL32 ref: 007FBB91
WideCharToMultiByte.KERNEL32(00000000,?,0089121C,000000FF,?,0000003F,?,?), ref: 007FBC09
WideCharToMultiByte.KERNEL32(00000000,?,00891270,000000FF,?,0000003F,?,?,?,0089121C,000000FF,?,0000003F,?,?), ref: 007FBC36

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: ddaa046f71b02b5b267c9a814e8565d8a314caa3e4bb9bd44d393852ed44a690
Instruction ID: 6c345f9377ca8592ac555404f0f6a9fe779eeec7171c4f88d76ca16af24d69d3
Opcode Fuzzy Hash: ddaa046f71b02b5b267c9a814e8565d8a314caa3e4bb9bd44d393852ed44a690
Instruction Fuzzy Hash: 4C31AF7094820ADFCF11EFA9DC8487ABBB8FF4575071842AAE261DB3A1D7349D00CB60

Function 0083CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0083CE89
GetLastError.KERNEL32(?,00000000), ref: 0083CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0083CEFE

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: b535c7682fb65502e2e959284d3cbc0728677a38c14fad6664eeae7ff0868bbd
Instruction ID: 5eba52340d0fc9f931780444160074eef5f12488900a4afcc3e2f90fd306d652
Opcode Fuzzy Hash: b535c7682fb65502e2e959284d3cbc0728677a38c14fad6664eeae7ff0868bbd
Instruction Fuzzy Hash: 42219DB1500705DFD720DF65C948BA677F8FB80759F10481EE546E2151EB74EE058BA4

Function 00828298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008282AA

Strings

(, xrefs: 008282F0
|, xrefs: 008282DA

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 78934d9efd7cd6f3231ba17cf76cda1901bd7f089dc3e1b3222baa6f935f2ef5
Instruction ID: 5fd54d3f3e2a233959e17e8c95f6f0ab3db150e36e67f9bbeee596cd98948580
Opcode Fuzzy Hash: 78934d9efd7cd6f3231ba17cf76cda1901bd7f089dc3e1b3222baa6f935f2ef5
Instruction Fuzzy Hash: 8B323474A01615DFCB28CF59D484A6AB7F0FF48710B15C46EE49ADB3A1EB70E981CB44

Function 00835C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00835CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00835D17
FindClose.KERNEL32(?), ref: 00835D5F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1a7f06781fa7bad7fb78e92020f8500023fa971856637beb5ff7ed01e048c634
Instruction ID: 1105f6ec51c421ccc5d586200b0f04816739a7d7706ddbae902bc132fe05ee9f
Opcode Fuzzy Hash: 1a7f06781fa7bad7fb78e92020f8500023fa971856637beb5ff7ed01e048c634
Instruction Fuzzy Hash: B7517675604A019FC714DF28C498E9AB7E4FF89328F14856EE95ACB3A1CB34ED05CB91

Function 007F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 007F271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007F2724
UnhandledExceptionFilter.KERNEL32(?), ref: 007F2731

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 10ebc894270e1cf23958aa9440172fbd19f18fc6110de857bbe4e9572936bc2f
Instruction ID: d3409b1ffeda1eb06b8e2ccdcd170fff83586d350365fc7d66be42ba85b96cd4
Opcode Fuzzy Hash: 10ebc894270e1cf23958aa9440172fbd19f18fc6110de857bbe4e9572936bc2f
Instruction Fuzzy Hash: EC31C27490131CEBCB21DF69DC88798BBB8BF08310F5041EAE90CA6261E7749F818F55

Function 008351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00835238
SetErrorMode.KERNEL32(00000000), ref: 008352A1

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c350885e730d845385a917e1e28c1a91fe6195b6eb7335b25f5deb7f7d038e58
Instruction ID: b4a7c69fe31ad45d214a0b248457badc58ee157461de6ac5e7cabe4c04b15324
Opcode Fuzzy Hash: c350885e730d845385a917e1e28c1a91fe6195b6eb7335b25f5deb7f7d038e58
Instruction Fuzzy Hash: B6313075A00618DFDB00DF54D888FAEBBB5FF49314F088099E8059B352DB35E856CB91

Function 008216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 007DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 007E0668
Part of subcall function 007DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 007E0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0082173A
GetLastError.KERNEL32 ref: 0082174A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e08522759a917dd602cc5c21916b34b5a890b53b30e79090ac35eb92a5f2e7ea
Instruction ID: c5c4bebdd359da7738e28f175c0f787eef01f1c78b5dbc3fa96756cf843a8d3f
Opcode Fuzzy Hash: e08522759a917dd602cc5c21916b34b5a890b53b30e79090ac35eb92a5f2e7ea
Instruction Fuzzy Hash: 1E11C4B1500308AFD7189F54EC8AD6BB7F9FB44714B20852EE05693241EB74BC418A20

Function 0082D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0082D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0082D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0082D650

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 908b57d00a773d566cfa060b9d8cc19afa5c85d2f184e77ffdfafcfd60531cb1
Instruction ID: 8ca2fb64506ee0136a5deb8e8dc1e0e369a1d18b870986b2ad6dbcb79faf95ea
Opcode Fuzzy Hash: 908b57d00a773d566cfa060b9d8cc19afa5c85d2f184e77ffdfafcfd60531cb1
Instruction Fuzzy Hash: B2115A75A01328BFDB108B94AC44BAFBFBCEB45B50F108111F914E7290C2744A018BE1

Function 00821663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0082168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008216A1
FreeSid.ADVAPI32(?), ref: 008216B1

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 88633034a830d78e39222853eed5c69aae2afe0f298de041f93ca422e5f8d130
Instruction ID: 9d117cfbce64223219f6fad3f8e8cda687736454418c79dfb69858b7830316e9
Opcode Fuzzy Hash: 88633034a830d78e39222853eed5c69aae2afe0f298de041f93ca422e5f8d130
Instruction Fuzzy Hash: 30F0F471950309FFDF00DFE49C89AAEBBBCFB08606F504565E501E2181E774AA448A50

Function 0081D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0081D28C

Strings

X64, xrefs: 0081D2A8

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 3f6fc09f3eb1d1cdebf608075141b4334536ab542e9a732197ccb1418ee70475
Instruction ID: 56d72ad8b44ce74ed4dcec98351b227a4968666cccc3ed16a6f493636c2dca3d
Opcode Fuzzy Hash: 3f6fc09f3eb1d1cdebf608075141b4334536ab542e9a732197ccb1418ee70475
Instruction Fuzzy Hash: 7ED0C9B480121DEECF90CB90DC88DD9B3BCFB14305F100152F106E2140D77895488F10

Function 007ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: dbe4d6b337ddd621e0805d54e63a0751eb1e42788515ae04d0a86829f8a7c18f
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: C0024D76E012599FDF15CFA9C8806ADFBF1FF48314F258169E919EB380D735A9028B90

Function 008368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00836918
FindClose.KERNEL32(00000000), ref: 00836961

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5f50fcd9df2ceff515cb41240a528f378118e50811e49e0290395f5f2695e825
Instruction ID: ad3a254000084adc0876b2f50f9d1c212c33c4a503dc35e345705abc8a4fa975
Opcode Fuzzy Hash: 5f50fcd9df2ceff515cb41240a528f378118e50811e49e0290395f5f2695e825
Instruction Fuzzy Hash: 7D117C31604200AFC710DF29D488B16BBE5FF85329F14C69DE8698B6A2DB34EC05CB91

Function 008337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00844891,?,?,00000035,?), ref: 008337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00844891,?,?,00000035,?), ref: 008337F4

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a51af313349052161755deb9e673d7d2f57ec76187e8424c5cbd3ec1fedd7e5e
Instruction ID: 546a499f8df207b88de0e17828b69375eca521a82fe90ac08822eb561bd65a1f
Opcode Fuzzy Hash: a51af313349052161755deb9e673d7d2f57ec76187e8424c5cbd3ec1fedd7e5e
Instruction Fuzzy Hash: 30F0E5B06043296AEB6017768C4DFEB3BAEFFC4761F000179F609D2291D9609904CBF0

Function 0082B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0082B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0082B270

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 7203c404b4134019538a385ef0c67f8396eb36deb092c1b1c0b5e07b5e63e5ab
Instruction ID: 70e296ba3ac1022db4c4ea49949c0891c8b6b2d659e79fa57c9789c6e2d2e816
Opcode Fuzzy Hash: 7203c404b4134019538a385ef0c67f8396eb36deb092c1b1c0b5e07b5e63e5ab
Instruction Fuzzy Hash: E2F01D7180434DAFDB059FA4D805BAE7FB4FF0830AF008009F955A6192D3798651DF94

Function 008210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008211FC), ref: 008210D4
CloseHandle.KERNEL32(?,?,008211FC), ref: 008210E9

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e281d42c685233339f43cc7e0e0db49048ac11f496446753963fb819e920b1d7
Instruction ID: 8e83b5361f1b60d1c76ef1a3f9c9782daf363eb95e84eaf1fa1c36f7ff5ffe18
Opcode Fuzzy Hash: e281d42c685233339f43cc7e0e0db49048ac11f496446753963fb819e920b1d7
Instruction Fuzzy Hash: DCE04F32004B10EEEB252B51FC09E7377A9FB04311B20882EF4A6805B1DB666CD0DB50

Function 007CCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00810C40

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: e62947d7339c4515a8cfa061a87b8b8d2853c3e799dfea469afb72311a4ea4e2
Instruction ID: b8f8c33736bc61efb6316647eb3851e7af3d790174372cd01af59c327f49bff3
Opcode Fuzzy Hash: e62947d7339c4515a8cfa061a87b8b8d2853c3e799dfea469afb72311a4ea4e2
Instruction Fuzzy Hash: 3F323671900218EBCF15DF94C885FEDB7B9FF05304F24405DE80AAB292D779AA86DB61

Function 007F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,007F6766,?,?,00000008,?,?,007FFEFE,00000000), ref: 007F6998

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 96976965fcd31b6f519bf0a073c56310222f5672dcc040bdae502360a404bc10
Instruction ID: 6569668c9d9d397e55e9b3cc102d63331883ab5f6ea39449290bbb9682802bfd
Opcode Fuzzy Hash: 96976965fcd31b6f519bf0a073c56310222f5672dcc040bdae502360a404bc10
Instruction Fuzzy Hash: E1B128716106099FD719CF28C48AB657BA0FF45364F25C65CEA9ACF3A2C339E991CB40

Function 007DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0081851F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ee7103c07059894ae5d0c61919d29b6fe19a2247ad80c6c9f67cd2291da6c6a2
Instruction ID: 3466f9e085206b3a6971243648f2a1d2a272acfa3cf7fd3807c81a80fc74ca8c
Opcode Fuzzy Hash: ee7103c07059894ae5d0c61919d29b6fe19a2247ad80c6c9f67cd2291da6c6a2
Instruction Fuzzy Hash: C7124C71900229DFCB24CF58C881AEEB7B5FF48710F15819AE849EB355EB349E81DB90

Function 0083EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0083EABD

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: dfed2d944e567649ee5aeacb47d8230a7a143eb3fdd6bf239e72312f5d71267f
Instruction ID: d987e6ad258b909dae03e3b3ee334f162fad595c613ccb9e32d7c56a3581d5a1
Opcode Fuzzy Hash: dfed2d944e567649ee5aeacb47d8230a7a143eb3fdd6bf239e72312f5d71267f
Instruction Fuzzy Hash: 32E01A322002159FC710EF59D809E9AB7E9FFA8760F00841EFC49C7391DA74A8418B90

Function 007E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007E03EE), ref: 007E09DA

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 58b9af771e2ca188bea57c2b146403731b525caf99fee8bfdf429199e74383ef
Instruction ID: 4b289d58ed6846241651945082a97c771a076513493dd050ca59505ecc453a3e
Opcode Fuzzy Hash: 58b9af771e2ca188bea57c2b146403731b525caf99fee8bfdf429199e74383ef
Instruction Fuzzy Hash:

Function 007E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 007E798B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d20d3b89a437ce60f300e36af216d74fff09c1750bbd99148567e1c9af7f25d7
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: E751777160F7C59BDB3C856B889E7BE23899F2E340F180519D886CB283CA1DEE41D352

Function 007F6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610e053a570f798a8a2ffa9050d003e615fa56b4fba81d478a5092db2b9fae90
Instruction ID: 8d1415c0e17fe7c24809d06659b54e72ee9fd42b64e0377910cb7435289fed6d
Opcode Fuzzy Hash: 610e053a570f798a8a2ffa9050d003e615fa56b4fba81d478a5092db2b9fae90
Instruction Fuzzy Hash: E2326622D29F454DD7279634CC22335A249BFB73C5F16D737F81AB5AAAEB69C4838100

Function 007DCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3e9f35c5e6b671ddba8c16e4d4504c8120f1e6c5e87e7c9a17949c20caee8d
Instruction ID: 558f59ca05792296efc4bde2406d830102d2dd11313ea56df4543f0a42932f63
Opcode Fuzzy Hash: 5c3e9f35c5e6b671ddba8c16e4d4504c8120f1e6c5e87e7c9a17949c20caee8d
Instruction Fuzzy Hash: 8C321271A8411A8BCF29CE28C4906FD7BB9FF45314F28856BD98ACB291D234DDC1DB51

Function 007C7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4255de2bd704cb268c28b7f47da7c9ebab394f02ada7c61ad3a74371601f1b72
Instruction ID: 1cb511f9e291a912e35b85d0020bd061200ceb4f2ab9015e5bf701a1d8e7af71
Opcode Fuzzy Hash: 4255de2bd704cb268c28b7f47da7c9ebab394f02ada7c61ad3a74371601f1b72
Instruction Fuzzy Hash: D6227CB0A04609DBDF14CFA8D885AAEB7B5FF44300F14452DE816E7291EB3AAD54CF64

Function 007C91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0e1d9e68c773f64847f17031491a09f1b29f471e81f0e7203358e86d793664
Instruction ID: 923189a5879ce87944714379cdb0fb087de765304a21c893fcaf168451a9f816
Opcode Fuzzy Hash: 3e0e1d9e68c773f64847f17031491a09f1b29f471e81f0e7203358e86d793664
Instruction Fuzzy Hash: CD02C3B1A00209EBDB44DF64DC85BAEB7B1FF44304F108569E946DB3D1EB35AA60CB91

Function 007F9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe6fbcfbef46007ebaa3fb30b993db144405b8a9fc8632746d0e6053d164998
Instruction ID: 85e987a8955f19f822c345ccd4c4b437a7c47ad236f59a93dfe7d8a8d1ec955e
Opcode Fuzzy Hash: bbe6fbcfbef46007ebaa3fb30b993db144405b8a9fc8632746d0e6053d164998
Instruction Fuzzy Hash: 4BB1E220D2AF414DD22396399931336B65CBFBB6D5F52E71BFC1674F62EB2285834140

Function 007E1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 11a7d0590290f14b716a3450ea77b2777c41190593857819553e80f56ea0afd8
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C491997260A0E34ADB29863F853603DFFE15A563A235A079DE4F2CB1C5FE38D954D620

Function 007E1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 9bdd6c8a08744f3080ce4fe0eb03e4d4393406eb878bce77718c574bbe081421
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: B191767220A0E34DDB6D423B847503EFFE55A963A131A079DD4F2CB1C6EE38DA55E620

Function 007E19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: bfbd99ed2bf3ca4a59d6312b8bbe197e2a4933f05481fa678a265031adf7912c
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: FB91657220A0E34ADB2D427B857603DFFE15A963A135A47AED4F3CA1C1FD38D554D620

Function 007E7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ddf15903a37f5009b7e07001d006686b85c40c43cbca49ab7037a8aa9e2a19
Instruction ID: cbca08b55e3726d1b66965a8f28016edaecd5df014110778c3408711f9d90cd4
Opcode Fuzzy Hash: 52ddf15903a37f5009b7e07001d006686b85c40c43cbca49ab7037a8aa9e2a19
Instruction Fuzzy Hash: 42618DB160A7C996DA3C992F8C95BBF3398DF4D700F20492DE842CB291D61D9E42C366

Function 007E7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c20ed4cbb62b745bed122d529e757d2ea092871c71529f1f75c13b279ea01e
Instruction ID: cd4aa90e27dfe2710018755f352da717dcac4fd342adc2214a301464c976b726
Opcode Fuzzy Hash: 61c20ed4cbb62b745bed122d529e757d2ea092871c71529f1f75c13b279ea01e
Instruction Fuzzy Hash: 42618C7130A7C9A6DE3CCA2B4C95BBF2389DF4E704F100959E942DF281DA1EAD42C356

Function 007E1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 46f0a54b4f3c58ac6cb6e4740ce65050a7bbe078d11bf0596ebea0b19d85c8df
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F881867260A0E34ADB2D423B857643EFFE15A963B135A079DD4F2CB1C2EE38D554D620

Function 00832046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c1a38ae5d457dc15b97de159f7575df8f929a98325d2ab8a8a4596eda4d9fb
Instruction ID: ec68498554b605cf039629a24612ed0b9eb664e3e3914c88a43fb8e0b05bb0f5
Opcode Fuzzy Hash: 50c1a38ae5d457dc15b97de159f7575df8f929a98325d2ab8a8a4596eda4d9fb
Instruction Fuzzy Hash: 0B21AB326215118BD72CDE79C82267E73E5F764310F19852EE4A7C77D0DE359904CB80

Function 00842ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00842B30
DeleteObject.GDI32(00000000), ref: 00842B43
DestroyWindow.USER32 ref: 00842B52
GetDesktopWindow.USER32 ref: 00842B6D
GetWindowRect.USER32(00000000), ref: 00842B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00842CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00842CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842CF8
GetClientRect.USER32(00000000,?), ref: 00842D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00842D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D80
GlobalLock.KERNEL32(00000000), ref: 00842D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D98
GlobalUnlock.KERNEL32(00000000), ref: 00842DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842DA8
GlobalFree.KERNEL32(00000000), ref: 00842DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0085FC38,00000000), ref: 00842DDB
GlobalFree.KERNEL32(00000000), ref: 00842DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00842E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00842E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0084303F

Strings

DISPLAY, xrefs: 00842EA2
AutoIt v3, xrefs: 00842CF2
static, xrefs: 00842D3A, 00842E91
, xrefs: 00842FC5

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8d9c176df576b11fb12cc5be776d6dd48d6324532d14457f18fb19c54485d619
Instruction ID: bac7b0a61116de4fa1221f45754291edfb99ed31310837df42f0f63bb99e4c95
Opcode Fuzzy Hash: 8d9c176df576b11fb12cc5be776d6dd48d6324532d14457f18fb19c54485d619
Instruction Fuzzy Hash: BD023771900209EFDB14DFA4DC89EAE7BB9FB48711F048159F915AB2A1DB78AD01CF60

Function 008570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0085712F
GetSysColorBrush.USER32(0000000F), ref: 00857160
GetSysColor.USER32(0000000F), ref: 0085716C
SetBkColor.GDI32(?,000000FF), ref: 00857186
SelectObject.GDI32(?,?), ref: 00857195
InflateRect.USER32(?,000000FF,000000FF), ref: 008571C0
GetSysColor.USER32(00000010), ref: 008571C8
CreateSolidBrush.GDI32(00000000), ref: 008571CF
FrameRect.USER32(?,?,00000000), ref: 008571DE
DeleteObject.GDI32(00000000), ref: 008571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00857230
FillRect.USER32(?,?,?), ref: 00857262
GetWindowLongW.USER32(?,000000F0), ref: 00857284

Part of subcall function 008573E8: GetSysColor.USER32(00000012), ref: 00857421
Part of subcall function 008573E8: SetTextColor.GDI32(?,?), ref: 00857425
Part of subcall function 008573E8: GetSysColorBrush.USER32(0000000F), ref: 0085743B
Part of subcall function 008573E8: GetSysColor.USER32(0000000F), ref: 00857446
Part of subcall function 008573E8: GetSysColor.USER32(00000011), ref: 00857463
Part of subcall function 008573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00857471
Part of subcall function 008573E8: SelectObject.GDI32(?,00000000), ref: 00857482
Part of subcall function 008573E8: SetBkColor.GDI32(?,00000000), ref: 0085748B
Part of subcall function 008573E8: SelectObject.GDI32(?,?), ref: 00857498
Part of subcall function 008573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008574B7
Part of subcall function 008573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008574CE
Part of subcall function 008573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008574DB

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 73e57935a1ebfeea4112405910c7ba864cc282d9ec63d6a29735869d3031c599
Instruction ID: 613af097dd048f79602dde4377ab3607ecc6dfae2ddd3f88496ef5504128bd9c
Opcode Fuzzy Hash: 73e57935a1ebfeea4112405910c7ba864cc282d9ec63d6a29735869d3031c599
Instruction Fuzzy Hash: D2A19072008701AFDB019F64DC48A5BBBA9FB49322F104A19F9A2D61E1E779E948CF51

Function 007D8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 007D8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00816AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00816AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00816F43

Part of subcall function 007D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D8BE8,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 007D8FC5

SendMessageW.USER32(?,00001053), ref: 00816F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00816F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00816FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00816FB7

Strings

0, xrefs: 00816DCF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: c3b5572a834f7ebb10586694c2ab6671e69d7004183675473ba3599cc32d288f
Instruction ID: 7714bac147c9fe0fdeeab4b91ff80050bbffb42616accee3f0715a61dce54d6b
Opcode Fuzzy Hash: c3b5572a834f7ebb10586694c2ab6671e69d7004183675473ba3599cc32d288f
Instruction Fuzzy Hash: 3F129C30204201DFDB65DF24D888BA5BBF9FF44311F58456AE485CB261DB35E8A2DF92

Function 00842711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0084273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0084286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00842900
GetClientRect.USER32(00000000,?), ref: 0084290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00842955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00842964
GetStockObject.GDI32(00000011), ref: 00842974
SelectObject.GDI32(00000000,00000000), ref: 00842978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00842988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00842991
DeleteDC.GDI32(00000000), ref: 0084299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00842A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00842A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00842A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00842A77
GetStockObject.GDI32(00000011), ref: 00842A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00842A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00842A97

Strings

msctls_progress32, xrefs: 00842A13
DISPLAY, xrefs: 0084295A
AutoIt v3, xrefs: 008428F8
static, xrefs: 0084294F, 00842A71

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e1f576ec30ccbcc831cb241bac210fa42b2e2981c165b36a55fc6f984f0b99e0
Instruction ID: 6ac38a78566d360cebea23bc96c49bb84e08a12921675d66f08985a8a889a2a9
Opcode Fuzzy Hash: e1f576ec30ccbcc831cb241bac210fa42b2e2981c165b36a55fc6f984f0b99e0
Instruction Fuzzy Hash: 47B13A71A40219AFEB14DF68DC8AFAE7BB9FB08715F004159F915E7290DB78AD40CB90

Function 00834ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00834AED
GetDriveTypeW.KERNEL32(?,0085CB68,?,\\.\,0085CC08), ref: 00834BCA
SetErrorMode.KERNEL32(00000000,0085CB68,?,\\.\,0085CC08), ref: 00834D36

Strings

Removable, xrefs: 00834C10, 00834C15
SAS, xrefs: 00834CC9
Fibre, xrefs: 00834CAD
MMC, xrefs: 00834CDE
iSCSI, xrefs: 00834CC2
Unknown, xrefs: 00834BED, 00834C83
SSD, xrefs: 00834C4A
SSA, xrefs: 00834CA6
SCSI, xrefs: 00834C8A
USB, xrefs: 00834CB4
Virtual, xrefs: 00834CE5
1394, xrefs: 00834C9F
ATA, xrefs: 00834C98
CDROM, xrefs: 00834BFB
\\.\, xrefs: 00834B3F
SATA, xrefs: 00834CD0
RAID, xrefs: 00834CBB
Fixed, xrefs: 00834C09
RAMDisk, xrefs: 00834BF4
PhysicalDrive, xrefs: 00834B76
FileBackedVirtual, xrefs: 00834CEC
Network, xrefs: 00834C02
ATAPI, xrefs: 00834C91

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0c4e2900f506a46f576bb863c48a62ac30786e7256529912e7b718f52fe51936
Instruction ID: 855fe11cbfef22b4d75f868a83d3eee09bb7f09193d7fbd345608dd7cf203110
Opcode Fuzzy Hash: 0c4e2900f506a46f576bb863c48a62ac30786e7256529912e7b718f52fe51936
Instruction Fuzzy Hash: C4619330605209DBCB14EF64CA85D69B7A1FB84304F24A419F816EB752EB3AFD52DBC1

Function 008573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00857421
SetTextColor.GDI32(?,?), ref: 00857425
GetSysColorBrush.USER32(0000000F), ref: 0085743B
GetSysColor.USER32(0000000F), ref: 00857446
CreateSolidBrush.GDI32(?), ref: 0085744B
GetSysColor.USER32(00000011), ref: 00857463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00857471
SelectObject.GDI32(?,00000000), ref: 00857482
SetBkColor.GDI32(?,00000000), ref: 0085748B
SelectObject.GDI32(?,?), ref: 00857498
InflateRect.USER32(?,000000FF,000000FF), ref: 008574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0085752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00857554
InflateRect.USER32(?,000000FD,000000FD), ref: 00857572
DrawFocusRect.USER32(?,?), ref: 0085757D
GetSysColor.USER32(00000011), ref: 0085758E
SetTextColor.GDI32(?,00000000), ref: 00857596
DrawTextW.USER32(?,008570F5,000000FF,?,00000000), ref: 008575A8
SelectObject.GDI32(?,?), ref: 008575BF
DeleteObject.GDI32(?), ref: 008575CA
SelectObject.GDI32(?,?), ref: 008575D0
DeleteObject.GDI32(?), ref: 008575D5
SetTextColor.GDI32(?,?), ref: 008575DB
SetBkColor.GDI32(?,?), ref: 008575E5

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 102ba133189825408728bbb6738e75bca5b04cc3aee3a7f8c5079e1684ad853a
Instruction ID: 95e4528ffd98773882fec507af1f19da99e66a7dae2ea0ee99f28d6cc61fcd2f
Opcode Fuzzy Hash: 102ba133189825408728bbb6738e75bca5b04cc3aee3a7f8c5079e1684ad853a
Instruction Fuzzy Hash: 2B615C72900718AFDF019FA4DC49EAEBFB9FB08362F118115F915AB2A1E7749940CF90

Function 00850FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00851128
GetDesktopWindow.USER32 ref: 0085113D
GetWindowRect.USER32(00000000), ref: 00851144
GetWindowLongW.USER32(?,000000F0), ref: 00851199
DestroyWindow.USER32(?), ref: 008511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0085120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0085121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00851232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00851245
IsWindowVisible.USER32(00000000), ref: 008512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008512D0
GetWindowRect.USER32(00000000,?), ref: 008512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0085130E
GetMonitorInfoW.USER32(00000000,?), ref: 00851328
CopyRect.USER32(?,?), ref: 0085133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008513AA

Strings

0, xrefs: 008510D3
(, xrefs: 0085131B
tooltips_class32, xrefs: 008511E6

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: c31e7adf7dbf44aa55bc4ff14a1f303fede16c5cc7bac940fd59adc217c5801f
Instruction ID: 9d0e937be3b844490c2fe1ee3641613475bdcd92d2dae75dcc5c0b340e1c6413
Opcode Fuzzy Hash: c31e7adf7dbf44aa55bc4ff14a1f303fede16c5cc7bac940fd59adc217c5801f
Instruction Fuzzy Hash: F9B16971604341AFDB04DF64C889B6ABBE4FF88355F00891CF999DB2A1D775E848CB91

Function 007D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D8968
GetSystemMetrics.USER32(00000007), ref: 007D8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D899B
GetSystemMetrics.USER32(00000008), ref: 007D89A3
GetSystemMetrics.USER32(00000004), ref: 007D89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007D89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007D89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007D8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007D8A3C
GetClientRect.USER32(00000000,000000FF), ref: 007D8A5A
GetStockObject.GDI32(00000011), ref: 007D8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 007D8A81

Part of subcall function 007D912D: GetCursorPos.USER32(?), ref: 007D9141
Part of subcall function 007D912D: ScreenToClient.USER32(00000000,?), ref: 007D915E
Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000001), ref: 007D9183
Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000002), ref: 007D919D

SetTimer.USER32(00000000,00000000,00000028,007D90FC), ref: 007D8AA8

Strings

AutoIt v3 GUI, xrefs: 007D8A20

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 242b7a713c3fd7bc7ed578763a6ba37bfdec7ed713254db2e7e5e1a452b2a71d
Instruction ID: efa9598c6257c2bc600d8fcf70ab0f4ef601b5a934fce723bd6618383dd9bf6d
Opcode Fuzzy Hash: 242b7a713c3fd7bc7ed578763a6ba37bfdec7ed713254db2e7e5e1a452b2a71d
Instruction Fuzzy Hash: 52B17E75A0020A9FDF14DFA8CC49BAE7BB5FB48315F14422AFA55E7290DB38A840CF51

Function 00820D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00821114
Part of subcall function 008210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821120
Part of subcall function 008210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 0082112F
Part of subcall function 008210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821136
Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00820DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00820E29
GetLengthSid.ADVAPI32(?), ref: 00820E40
GetAce.ADVAPI32(?,00000000,?), ref: 00820E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00820E96
GetLengthSid.ADVAPI32(?), ref: 00820EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00820EB5
HeapAlloc.KERNEL32(00000000), ref: 00820EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00820EDD
CopySid.ADVAPI32(00000000), ref: 00820EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00820F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00820F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00820F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820F6E
HeapFree.KERNEL32(00000000), ref: 00820F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820F7E
HeapFree.KERNEL32(00000000), ref: 00820F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820F8E
HeapFree.KERNEL32(00000000), ref: 00820F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00820FA1
HeapFree.KERNEL32(00000000), ref: 00820FA8

Part of subcall function 00821193: GetProcessHeap.KERNEL32(00000008,00820BB1,?,00000000,?,00820BB1,?), ref: 008211A1
Part of subcall function 00821193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00820BB1,?), ref: 008211A8
Part of subcall function 00821193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00820BB1,?), ref: 008211B7

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b82d427d22c0f5630cd0f011efd4089353a714539e81240059e0a1e1a129a1dc
Instruction ID: e8fd5a8f357dda4ca454edf5055c1e289083482d309abcadce38e1268c6ff566
Opcode Fuzzy Hash: b82d427d22c0f5630cd0f011efd4089353a714539e81240059e0a1e1a129a1dc
Instruction Fuzzy Hash: 4E71587290031AAFDF209FA4ED48BAEBBB8FF04311F144115F959E6192DB359A49CF60

Function 0084C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0085CC08,00000000,?,00000000,?,?), ref: 0084C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0084C5A4
_wcslen.LIBCMT ref: 0084C5F4
_wcslen.LIBCMT ref: 0084C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0084C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0084C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0084C84D
RegCloseKey.ADVAPI32(?), ref: 0084C881
RegCloseKey.ADVAPI32(00000000), ref: 0084C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0084C960

Strings

REG_QWORD, xrefs: 0084C8C3
REG_BINARY, xrefs: 0084C913
REG_EXPAND_SZ, xrefs: 0084C5CD
REG_SZ, xrefs: 0084C644
REG_DWORD, xrefs: 0084C804
REG_MULTI_SZ, xrefs: 0084C6F5

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e8cdabfa4a5fdf3833e2ca4ea1ca42d95cbbabadf1764451858c68ebcb3e0585
Instruction ID: be2dd260acb22fb38b473eb4da6896b001c3d3eb43183bb3858c07a2195cdbe6
Opcode Fuzzy Hash: e8cdabfa4a5fdf3833e2ca4ea1ca42d95cbbabadf1764451858c68ebcb3e0585
Instruction Fuzzy Hash: 1D123335604204DFDB54DF14C885E2AB7E9FF88714F14889CF88A9B2A2DB35ED41CB85

Function 0085091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008509C6
_wcslen.LIBCMT ref: 00850A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00850A54
_wcslen.LIBCMT ref: 00850A8A
_wcslen.LIBCMT ref: 00850B06
_wcslen.LIBCMT ref: 00850B81

Part of subcall function 007DF9F2: _wcslen.LIBCMT ref: 007DF9FD

Part of subcall function 00822BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00822BFA

Strings

GETTOTALCOUNT, xrefs: 008509F2, 00850A17
EXISTS, xrefs: 00850B7C, 00850B97
ISCHECKED, xrefs: 00850CE1
GETSELECTED, xrefs: 00850C4E
GETITEMCOUNT, xrefs: 00850C1E
SELECT, xrefs: 00850D11
GETTEXT, xrefs: 00850C97
UNCHECK, xrefs: 00850D3E
COLLAPSE, xrefs: 00850B01, 00850B1C
EXPAND, xrefs: 00850BF8
CHECK, xrefs: 00850A85, 00850AA0

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: c51dc83d486010271f7f126d6b0567284bd58b4e2e66e7241a66aa9cf673576d
Instruction ID: 069bf50da15b63899b403c40f4cfe979c524736a96c0bd3eeb07e5e1809b08bc
Opcode Fuzzy Hash: c51dc83d486010271f7f126d6b0567284bd58b4e2e66e7241a66aa9cf673576d
Instruction Fuzzy Hash: B4E157356083119FC714EF24C49092AB7E2FF98319B14895DF896AB362DB35ED49CF82

Function 0084C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
_wcslen.LIBCMT ref: 0084C9F1
_wcslen.LIBCMT ref: 0084CA68
_wcslen.LIBCMT ref: 0084CA9E
_wcslen.LIBCMT ref: 0084CAF9
_wcslen.LIBCMT ref: 0084CB2F
_wcslen.LIBCMT ref: 0084CB7F

Strings

HKCR, xrefs: 0084CB29, 0084CB2E
HKEY_CURRENT_USER, xrefs: 0084CBBD
HKCU, xrefs: 0084CBCE
HKLM, xrefs: 0084CA98, 0084CA9D
HKU, xrefs: 0084CBF0
HKEY_CLASSES_ROOT, xrefs: 0084CAF3, 0084CAF8
HKEY_LOCAL_MACHINE, xrefs: 0084CA62, 0084CA67
HKEY_USERS, xrefs: 0084CBDF
HKEY_CURRENT_CONFIG, xrefs: 0084CB79, 0084CB7E
HKCC, xrefs: 0084CBAC

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 67eee131789614d5098ba0191f8899b16f4eae76c563fc53787b7cf22e82a1f7
Instruction ID: 2466a167981afbf23a6eeb048a47ef226ff5866224fda638ed2ab8feb5e560e5
Opcode Fuzzy Hash: 67eee131789614d5098ba0191f8899b16f4eae76c563fc53787b7cf22e82a1f7
Instruction Fuzzy Hash: 5D71167260212E8BCB60EE7CCD515BE33A9FF60764B250528FC66E7284EA35DD44C7A0

Function 0085833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0085835A
_wcslen.LIBCMT ref: 0085836E
_wcslen.LIBCMT ref: 00858391
_wcslen.LIBCMT ref: 008583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0085361A,?), ref: 0085844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00858487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00858501
FreeLibrary.KERNEL32(?), ref: 0085850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0085851D
DestroyIcon.USER32(?), ref: 0085852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00858549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00858555

Strings

.dll, xrefs: 008583AB
.icl, xrefs: 00858368
.exe, xrefs: 00858388

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 86b6ce909afbbb3c0a9d1292aadd631f5654f4cad30e1cb47e919773224aff60
Instruction ID: 1dc692e3f9c63079141f89cab4e051a1bed2853b7ff8af6e103b3bc514486003
Opcode Fuzzy Hash: 86b6ce909afbbb3c0a9d1292aadd631f5654f4cad30e1cb47e919773224aff60
Instruction Fuzzy Hash: C461AE71500319FEEB149F64CC85BBE77A8FB08B22F10454AFD15E61D1EB78A994CBA0

Function 007C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 007C7847
Cannot parse #include, xrefs: 00805279
#comments-start, xrefs: 007C785F, 007C78B1
#ce, xrefs: 007C78ED
#pragma compile, xrefs: 007C77D3
#notrayicon, xrefs: 007C77E7
", xrefs: 00805153
#cs, xrefs: 007C7873, 007C78C5
', xrefs: 00805169
#comments-end, xrefs: 007C78D9
#OnAutoItStartRegister, xrefs: 007C7817
Bad directive syntax error, xrefs: 0080519A
#include-once, xrefs: 007C782F
Unterminated group of comments, xrefs: 0080528C
#requireadmin, xrefs: 007C77FF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 1a68cb7a597645b775d8a213b003f147709ed3f4ff2ef4cdb7afa84f5fe46214
Instruction ID: 329f013c8e33aff447018a4b260cf5543fe9fe30895c5b665ae13ff246ea91d8
Opcode Fuzzy Hash: 1a68cb7a597645b775d8a213b003f147709ed3f4ff2ef4cdb7afa84f5fe46214
Instruction Fuzzy Hash: 2781D471644609FBDB64AF60CD46FAF37A8FF14300F04402DF915AA296EB78DA15CBA1

Function 00833E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00833EF8
_wcslen.LIBCMT ref: 00833F03
_wcslen.LIBCMT ref: 00833F5A
_wcslen.LIBCMT ref: 00833F98
GetDriveTypeW.KERNEL32(?), ref: 00833FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00834059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00834087

Strings

close, xrefs: 00833EFE, 00833F18
type cdaudio alias cd wait, xrefs: 00834001
set cd door , xrefs: 00834028
open , xrefs: 00833FE5
open, xrefs: 00833F54, 00833F59
wait, xrefs: 00834044
close cd wait, xrefs: 00834072
closed, xrefs: 00833F08, 00833F2D, 00833F46, 00833F7E, 00833F97

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 1028b1f84218b9c85da7da50c984ede39f1e1a4dcad20dd87cbd74880d94fdc6
Instruction ID: 875e718ae1d2cafa2070e3ed7d0b5cf9641e48406217fec82c5abd4c97b76426
Opcode Fuzzy Hash: 1028b1f84218b9c85da7da50c984ede39f1e1a4dcad20dd87cbd74880d94fdc6
Instruction Fuzzy Hash: 1C71DE326046019FC310EF24C89096AB7F4FF98758F50492DF9A6D7251EB35ED49CB91

Function 00825A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00825A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00825A40
SetWindowTextW.USER32(?,?), ref: 00825A57
GetDlgItem.USER32(?,000003EA), ref: 00825A6C
SetWindowTextW.USER32(00000000,?), ref: 00825A72
GetDlgItem.USER32(?,000003E9), ref: 00825A82
SetWindowTextW.USER32(00000000,?), ref: 00825A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00825AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00825AC3
GetWindowRect.USER32(?,?), ref: 00825ACC
_wcslen.LIBCMT ref: 00825B33
SetWindowTextW.USER32(?,?), ref: 00825B6F
GetDesktopWindow.USER32 ref: 00825B75
GetWindowRect.USER32(00000000), ref: 00825B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00825BD3
GetClientRect.USER32(?,?), ref: 00825BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00825C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00825C2F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 0a276f5aa06b136a5988a4c09130079ca6db8a0b7968c0e205bba207cf1288d1
Instruction ID: da2a4ff784b034964ab7b0e343dfb26438f3a42255afddad2daab6eb8c45038b
Opcode Fuzzy Hash: 0a276f5aa06b136a5988a4c09130079ca6db8a0b7968c0e205bba207cf1288d1
Instruction Fuzzy Hash: BB718C31900B19AFDB20DFA8DE89AAEBBF5FF48715F104918E542E25A0D774E984CF50

Function 0083FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0083FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0083FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0083FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0083FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0083FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0083FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0083FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0083FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0083FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0083FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0083FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0083FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0083FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0083FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0083FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0083FECC
GetCursorInfo.USER32(?), ref: 0083FEDC
GetLastError.KERNEL32 ref: 0083FF1E

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 8c493774697b64a1d58e55d56911f856a6e56d21e925c7315ffdea95bb446252
Instruction ID: dc1bcc2f93b7717b49cded5ffe1d956d44b911e7a89fbb330d073670b4fc9164
Opcode Fuzzy Hash: 8c493774697b64a1d58e55d56911f856a6e56d21e925c7315ffdea95bb446252
Instruction Fuzzy Hash: 284151B0D04319AADB109FBA8C89C5EBFE8FF44754B50452AE51DE7281DB78E901CE91

Function 007E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007E00C6

Part of subcall function 007E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0089070C,00000FA0,6C684819,?,?,?,?,008023B3,000000FF), ref: 007E011C
Part of subcall function 007E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008023B3,000000FF), ref: 007E0127
Part of subcall function 007E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008023B3,000000FF), ref: 007E0138
Part of subcall function 007E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 007E014E
Part of subcall function 007E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 007E015C
Part of subcall function 007E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 007E016A
Part of subcall function 007E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007E0195
Part of subcall function 007E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007E01A0

___scrt_fastfail.LIBCMT ref: 007E00E7

Part of subcall function 007E00A3: __onexit.LIBCMT ref: 007E00A9

Strings

WakeAllConditionVariable, xrefs: 007E0162
InitializeConditionVariable, xrefs: 007E0148
SleepConditionVariableCS, xrefs: 007E0154
kernel32.dll, xrefs: 007E0133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 007E0122

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 2e302204897b988ef97af9656817004b8e3b123d28ad178768dee9b9dcbe99dd
Instruction ID: 5704595f4cea1ef2d04ecadd4c61e76f99e4a50c2358933773f4e1ee9e9e5739
Opcode Fuzzy Hash: 2e302204897b988ef97af9656817004b8e3b123d28ad178768dee9b9dcbe99dd
Instruction Fuzzy Hash: 4F21A732646754AFD7116BA5AC09B6E37B4FB09B62F14012AF911E6391DBBC98408ED0

Function 008230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0082318D
_wcslen.LIBCMT ref: 008231F8

Strings

CLASS, xrefs: 00823188, 008231A5
TEXT, xrefs: 0082347C
REGEXPCLASS, xrefs: 00823255, 00823266
NAME, xrefs: 00823335, 00823346
CLASSNN, xrefs: 008231F3, 00823204
INSTANCE, xrefs: 00823453

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 02ef06e8c079e2b8f2932daddd329d916d51f623c2b0075f1e7d9ea5d6c040ff
Instruction ID: d37f5b5df863e973662a72d95a5611262eb30f3f5741d805b2730c2a7fd05f8a
Opcode Fuzzy Hash: 02ef06e8c079e2b8f2932daddd329d916d51f623c2b0075f1e7d9ea5d6c040ff
Instruction Fuzzy Hash: 94E1E232A00626EBCB14EFA8D465AEDBBB4FF14714F54811AE556F3240DB38AFC58790

Function 008344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0085CC08), ref: 00834527
_wcslen.LIBCMT ref: 0083453B
_wcslen.LIBCMT ref: 00834599
_wcslen.LIBCMT ref: 008345F4
_wcslen.LIBCMT ref: 0083463F
_wcslen.LIBCMT ref: 008346A7

Part of subcall function 007DF9F2: _wcslen.LIBCMT ref: 007DF9FD

GetDriveTypeW.KERNEL32(?,00886BF0,00000061), ref: 00834743

Strings

fixed, xrefs: 00834635, 0083463A
all, xrefs: 00834531, 00834536
ramdisk, xrefs: 008346F1
cdrom, xrefs: 0083458F, 00834594
removable, xrefs: 008345EA, 008345EF
unknown, xrefs: 00834708
network, xrefs: 0083469D, 008346A2

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 3484166220c0fa6df35975e944ed1725e60799aef3c072f8575c0494c138b9d2
Instruction ID: cf47882f041c04211554472462418021f935d3f08fa77f7029befdf8c78dc129
Opcode Fuzzy Hash: 3484166220c0fa6df35975e944ed1725e60799aef3c072f8575c0494c138b9d2
Instruction Fuzzy Hash: 85B110316083029FC710EF28C895A6AB7E5FFE5764F50591DF496C7292E734E844CBA2

Function 00843FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0085CC08), ref: 008440BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008440CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0085CC08), ref: 008440F2
FreeLibrary.KERNEL32(00000000,?,0085CC08), ref: 0084413E
StringFromGUID2.OLE32(?,?,00000028,?,0085CC08), ref: 008441A8
SysFreeString.OLEAUT32(00000009), ref: 00844262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008442C8
SysFreeString.OLEAUT32(?), ref: 008442F2

Strings

GetModuleHandleExW, xrefs: 008440C7
kernel32.dll, xrefs: 008440B6

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 258d9595e952e3093642f38a531571aa9c0f741e9ffefc906643524184dc0fa8
Instruction ID: db7258c4d6771efc7d6102c641a31ab69a83b602dfae67b552f895647763e389
Opcode Fuzzy Hash: 258d9595e952e3093642f38a531571aa9c0f741e9ffefc906643524184dc0fa8
Instruction Fuzzy Hash: A6121775A00219EFDB14CF94C888EAEBBB5FF45319F248098E905EB251D735ED46CBA0

Function 007C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00891990), ref: 00802F8D
GetMenuItemCount.USER32(00891990), ref: 0080303D
GetCursorPos.USER32(?), ref: 00803081
SetForegroundWindow.USER32(00000000), ref: 0080308A
TrackPopupMenuEx.USER32(00891990,00000000,?,00000000,00000000,00000000), ref: 0080309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008030A9

Strings

0, xrefs: 007C327D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 6f0fecc99857b84118fde05cacdd0f43702024d55f275859092f46ba7de17129
Instruction ID: 858fe4a1ab6d46897904f843d0255b8a38af4c403606ae0e591ec51fc73b42de
Opcode Fuzzy Hash: 6f0fecc99857b84118fde05cacdd0f43702024d55f275859092f46ba7de17129
Instruction Fuzzy Hash: A1713870640316BEEB218F68DC4DF9ABF68FF04364F20421AF915A61E0C7B5AD10CB50

Function 00856CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00856DEB

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00856E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00856E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00856E94
DestroyWindow.USER32(?), ref: 00856EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007C0000,00000000), ref: 00856EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00856EFD
GetDesktopWindow.USER32 ref: 00856F16
GetWindowRect.USER32(00000000), ref: 00856F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00856F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00856F4D

Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952

Strings

0, xrefs: 00856D98
tooltips_class32, xrefs: 00856E58, 00856EDD

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 633f95788dab64a658ff63a0fd8a6e3982aeaee4b81c52d4c47e79f9f2330755
Instruction ID: 234091d1ffdf65cfcecc9ad01ea8c6df89d5ab738ba6ea19db615baa92533b52
Opcode Fuzzy Hash: 633f95788dab64a658ff63a0fd8a6e3982aeaee4b81c52d4c47e79f9f2330755
Instruction Fuzzy Hash: 2F717870504345AFDB21DF18D848FAABBE9FB98306F94051EF989C7260DB74A91ACF11

Function 0085911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

DragQueryPoint.SHELL32(?,?), ref: 00859147

Part of subcall function 00857674: ClientToScreen.USER32(?,?), ref: 0085769A
Part of subcall function 00857674: GetWindowRect.USER32(?,?), ref: 00857710
Part of subcall function 00857674: PtInRect.USER32(?,?,00858B89), ref: 00857720

SendMessageW.USER32(?,000000B0,?,?), ref: 008591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00859225
SendMessageW.USER32(?,000000B0,?,?), ref: 0085923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00859255
SendMessageW.USER32(?,000000B1,?,?), ref: 00859277
DragFinish.SHELL32(?), ref: 0085927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00859371

Strings

@GUI_DRAGID, xrefs: 008592E9
@GUI_DROPID, xrefs: 0085929E
@GUI_DRAGFILE, xrefs: 00859320

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: afabefc31699d937d1b77eb523e8dcf6c9747ad1183791a4da3c80a2f70b1478
Instruction ID: b9df979530ebeaa32944a4d3e3553421cc417edf425a0381945d297f1595e5ea
Opcode Fuzzy Hash: afabefc31699d937d1b77eb523e8dcf6c9747ad1183791a4da3c80a2f70b1478
Instruction Fuzzy Hash: 9F616C71108301AFC701EF64DC89EAFBBE9FF89751F40091EF695922A1DB349A49CB52

Function 0083C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0083C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0083C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0083C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0083C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0083C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0083C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0083C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0083C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0083C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0083C5F0
InternetCloseHandle.WININET(00000000), ref: 0083C5FB

Strings

, xrefs: 0083C575

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: b2e8e2b4826ad9d462f0fa6bce5c9480974e6fe27e27f174932ef5e4847f9763
Instruction ID: a86021cee42dfcff71bd508984dad9678aa1c3bbfd5620b8809d3aa25f86cb83
Opcode Fuzzy Hash: b2e8e2b4826ad9d462f0fa6bce5c9480974e6fe27e27f174932ef5e4847f9763
Instruction Fuzzy Hash: C15138B1500708BFDB219F64C988AAB7BBCFB88755F00451AF946E6610DB74E944DFA0

Function 0085856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00858592
GetFileSize.KERNEL32(00000000,00000000), ref: 008585A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 008585AD
CloseHandle.KERNEL32(00000000), ref: 008585BA
GlobalLock.KERNEL32(00000000), ref: 008585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 008585D7
GlobalUnlock.KERNEL32(00000000), ref: 008585E0
CloseHandle.KERNEL32(00000000), ref: 008585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 008585F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0085FC38,?), ref: 00858611
GlobalFree.KERNEL32(00000000), ref: 00858621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00858641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00858671
DeleteObject.GDI32(00000000), ref: 00858699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008586AF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 28986443417416e9eb61899d6ad1fdd9aefc32d5aa9d0abe95a8d9f9b7d4f5fd
Instruction ID: 6372ee05ddc3f96681af8d8353cef5d8a9b0e7c0d4b095abf6c02dfeed293cff
Opcode Fuzzy Hash: 28986443417416e9eb61899d6ad1fdd9aefc32d5aa9d0abe95a8d9f9b7d4f5fd
Instruction Fuzzy Hash: 36410775600308EFDB119FA5CC48EAABBB8FF99B16F104059F90AE7260DB349945CF60

Function 008314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00831502
VariantCopy.OLEAUT32(?,?), ref: 0083150B
VariantClear.OLEAUT32(?), ref: 00831517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00831657
VariantInit.OLEAUT32(?), ref: 00831708
SysFreeString.OLEAUT32(?), ref: 0083178C
VariantClear.OLEAUT32(?), ref: 008317D8
VariantClear.OLEAUT32(?), ref: 008317E7
VariantInit.OLEAUT32(00000000), ref: 00831823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00831625
Default, xrefs: 008316AF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 9462075840be1d74840e31addef089a4bb0ec5c35de585ed42dcabd155d5594b
Instruction ID: 5683be3c03ffecb98681da6544804c34960198e479f667bb01ece32e6949bd75
Opcode Fuzzy Hash: 9462075840be1d74840e31addef089a4bb0ec5c35de585ed42dcabd155d5594b
Instruction Fuzzy Hash: 2CD1B171A00219EBDF109F65D88DB79B7B5FF84B04F14845AE806EB280DB38EC45DBA1

Function 0084B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0084B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0084B80A
RegCloseKey.ADVAPI32(?), ref: 0084B87E
RegCloseKey.ADVAPI32(?), ref: 0084B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0084B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0084B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0084B922
FreeLibrary.KERNEL32(00000000), ref: 0084B983
RegCloseKey.ADVAPI32(00000000), ref: 0084B994

Strings

RegDeleteKeyExW, xrefs: 0084B8FE
advapi32.dll, xrefs: 0084B8ED

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 6453ef7f7004ee4d0f858dbe0daa2827cf62d5ae30ed2c58a33d68b00d18b83a
Instruction ID: 0d022db7736114b4ca8787039d2c3ef67ee60df971509f30600908e32e9679ca
Opcode Fuzzy Hash: 6453ef7f7004ee4d0f858dbe0daa2827cf62d5ae30ed2c58a33d68b00d18b83a
Instruction Fuzzy Hash: 11C17B31208245EFD714DF24C499F2ABBE5FF84318F18855CE59A8B2A2CB35ED46CB91

Function 0084255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008425E8
CreateCompatibleDC.GDI32(?), ref: 008425F4
SelectObject.GDI32(00000000,?), ref: 00842601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0084266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008426D0
SelectObject.GDI32(?,?), ref: 008426D8
DeleteObject.GDI32(?), ref: 008426E1
DeleteDC.GDI32(?), ref: 008426E8
ReleaseDC.USER32(00000000,?), ref: 008426F3

Strings

(, xrefs: 0084268D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ac6effabd497cdb33942341afdca028488164fb98f284aa9021dcbf9bfdc7617
Instruction ID: d819e80876ad1845c5597e58cb96f3e1e0157af874c4bfc45156416322ecbe84
Opcode Fuzzy Hash: ac6effabd497cdb33942341afdca028488164fb98f284aa9021dcbf9bfdc7617
Instruction Fuzzy Hash: 1461C275D00619EFCF04CFA8D884AAEBBB5FF48310F20852AE955A7250E774A951CF54

Function 007FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 007FDAA1

Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD659
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD66B
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD67D
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD68F
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6A1
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6B3
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6C5
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6D7
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6E9
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6FB
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD70D
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD71F
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD731

_free.LIBCMT ref: 007FDA96

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007FDAB8
_free.LIBCMT ref: 007FDACD
_free.LIBCMT ref: 007FDAD8
_free.LIBCMT ref: 007FDAFA
_free.LIBCMT ref: 007FDB0D
_free.LIBCMT ref: 007FDB1B
_free.LIBCMT ref: 007FDB26
_free.LIBCMT ref: 007FDB5E
_free.LIBCMT ref: 007FDB65
_free.LIBCMT ref: 007FDB82
_free.LIBCMT ref: 007FDB9A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a32cb01b92a63c2380454e4c83bf4aaba876aa326e018c79af99fe61a41ea6d6
Instruction ID: 799829d14c0927f6fe4ddb61f0c2f570c4dafb790b3ec564e3d1d76f330ca4fb
Opcode Fuzzy Hash: a32cb01b92a63c2380454e4c83bf4aaba876aa326e018c79af99fe61a41ea6d6
Instruction Fuzzy Hash: 2A315B71644209DFEB31AA78E849B7A77EAFF00311F114519E648E73A2DA79BC418B24

Function 0082365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0082369C
_wcslen.LIBCMT ref: 008236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00823797
GetClassNameW.USER32(?,?,00000400), ref: 0082380C
GetDlgCtrlID.USER32(?), ref: 0082385D
GetWindowRect.USER32(?,?), ref: 00823882
GetParent.USER32(?), ref: 008238A0
ScreenToClient.USER32(00000000), ref: 008238A7
GetClassNameW.USER32(?,?,00000100), ref: 00823921
GetWindowTextW.USER32(?,?,00000400), ref: 0082395D

Strings

%s%u, xrefs: 00823734

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 69e2b7ba4c80add8fbb917325c4f7d224fa81c228ce40308d310342b16c1e8a5
Instruction ID: 9979dd12483b1417e44b77402b45ae15511227801ef39de92be695d03c182df0
Opcode Fuzzy Hash: 69e2b7ba4c80add8fbb917325c4f7d224fa81c228ce40308d310342b16c1e8a5
Instruction Fuzzy Hash: D791D171204726AFD718DF24D8A5FAAF7E9FF45340F008529F999C2190DB38EA85CB91

Function 00824954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00824994
GetWindowTextW.USER32(?,?,00000400), ref: 008249DA
_wcslen.LIBCMT ref: 008249EB
CharUpperBuffW.USER32(?,00000000), ref: 008249F7
_wcsstr.LIBVCRUNTIME ref: 00824A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00824A64
GetWindowTextW.USER32(?,?,00000400), ref: 00824A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00824AE6
GetClassNameW.USER32(?,?,00000400), ref: 00824B20
GetWindowRect.USER32(?,?), ref: 00824B8B

Strings

ThumbnailClass, xrefs: 00824A6F, 00824AF1

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: d517923fc514db12ed1325e499c8db71a616e65658b4dcea2ccce06cbac1415e
Instruction ID: 15a45442942fa4ad80686347ec42b88f27cfa446d0fbeeebe2c1198aeb70c367
Opcode Fuzzy Hash: d517923fc514db12ed1325e499c8db71a616e65658b4dcea2ccce06cbac1415e
Instruction Fuzzy Hash: A391BD7100432A9FDB04DF54E885BAA77E8FF84314F049469FD86DA096EB34ED85CBA1

Function 0082BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00891990,000000FF,00000000,00000030), ref: 0082BFAC
SetMenuItemInfoW.USER32(00891990,00000004,00000000,00000030), ref: 0082BFE1
Sleep.KERNEL32(000001F4), ref: 0082BFF3
GetMenuItemCount.USER32(?), ref: 0082C039
GetMenuItemID.USER32(?,00000000), ref: 0082C056
GetMenuItemID.USER32(?,-00000001), ref: 0082C082
GetMenuItemID.USER32(?,?), ref: 0082C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0082C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0082C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0082C145

Strings

0, xrefs: 0082BF3D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: daab0eb9720af9632bc4b77e440fc725e3ece38e970322a3bac116fa51ac839f
Instruction ID: db685db1d309fc9449f13657e7f46b71003004c7273b60e007118f162e1fb5db
Opcode Fuzzy Hash: daab0eb9720af9632bc4b77e440fc725e3ece38e970322a3bac116fa51ac839f
Instruction Fuzzy Hash: 3A616BB090036AAFDF11CF68ED89ABEBBA8FF05344F140155E811E3291D735AD95CB61

Function 0084CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0084CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0084CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0084CD48

Part of subcall function 0084CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0084CCAA
Part of subcall function 0084CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0084CCBD
Part of subcall function 0084CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0084CCCF
Part of subcall function 0084CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0084CD05
Part of subcall function 0084CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0084CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0084CCF3

Strings

RegDeleteKeyExW, xrefs: 0084CCC9
advapi32.dll, xrefs: 0084CCB8

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 97d0a2d76dd8784f48c33537185f1c91d91a49f8940922e683c2c2709f459dbe
Instruction ID: 5a3a70278185d0505df676f476b1c4b9e4a69468dbe61879715e0740be9cd488
Opcode Fuzzy Hash: 97d0a2d76dd8784f48c33537185f1c91d91a49f8940922e683c2c2709f459dbe
Instruction Fuzzy Hash: D8318A7190222DBFDB609BA4DC88EFFBB7CFF05751F000165A906E2250DA389A45DAA0

Function 00833D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00833D40
_wcslen.LIBCMT ref: 00833D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00833D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00833DBE
RemoveDirectoryW.KERNEL32(?), ref: 00833DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00833E55
CloseHandle.KERNEL32(00000000), ref: 00833E60
CloseHandle.KERNEL32(00000000), ref: 00833E6B

Strings

:, xrefs: 00833D82
\, xrefs: 00833D77
\??\%s, xrefs: 00833D5B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 7a14c922d5f8e9fb5980c69b3307ecca4bcc6a0045ce582174d3e5b54e16607b
Instruction ID: c8dfaab8efb55686cc37fe958db9ecd7f63631b8bb7286ef2fcd062b208b10c9
Opcode Fuzzy Hash: 7a14c922d5f8e9fb5980c69b3307ecca4bcc6a0045ce582174d3e5b54e16607b
Instruction Fuzzy Hash: A031927190024AABDB219BA0DC49FEF77BCFF88701F1041B6F619D6160EB7897848B64

Function 0082E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0082E6B4

Part of subcall function 007DE551: timeGetTime.WINMM(?,?,0082E6D4), ref: 007DE555

Sleep.KERNEL32(0000000A), ref: 0082E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0082E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0082E727
SetActiveWindow.USER32 ref: 0082E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0082E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0082E773
Sleep.KERNEL32(000000FA), ref: 0082E77E
IsWindow.USER32 ref: 0082E78A
EndDialog.USER32(00000000), ref: 0082E79B

Strings

BUTTON, xrefs: 0082E719

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 40603e76ed9141183f64af181ad9181df79d571ffcf7264cc563300a834cc780
Instruction ID: 7750904e7cf03c79a9a900e97f083272da8c5932e67320f1dc8372e8009db7c3
Opcode Fuzzy Hash: 40603e76ed9141183f64af181ad9181df79d571ffcf7264cc563300a834cc780
Instruction Fuzzy Hash: 5F219370304315BFEB11AFA4FC89A253BA9F77474AF140426F516C16A2DB79AC40DF29

Function 0082E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0082EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0082EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0082EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0082EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0082EAA7

Strings

status PlayMe mode, xrefs: 0082EA58
open , xrefs: 0082EA0C
close PlayMe, xrefs: 0082EA6E, 0082EA9B
play PlayMe, xrefs: 0082EAA2
alias PlayMe, xrefs: 0082EA36
play PlayMe wait, xrefs: 0082EA91

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 8040dba88ddd6feb1b42121799290e454fd85895c398a2634fadda5f714b9508
Instruction ID: 909c664c36aee1055bccee6e58921691cca18a42e9ca7c5be003a4f512dac22a
Opcode Fuzzy Hash: 8040dba88ddd6feb1b42121799290e454fd85895c398a2634fadda5f714b9508
Instruction Fuzzy Hash: B1114F21A90269B9D720B7A1EC4AEFF6B7CFBD1B40F40042DB811E21D1EA741955C6B0

Function 00829F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0082A012
SetKeyboardState.USER32(?), ref: 0082A07D
GetAsyncKeyState.USER32(000000A0), ref: 0082A09D
GetKeyState.USER32(000000A0), ref: 0082A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0082A0E3
GetKeyState.USER32(000000A1), ref: 0082A0F4
GetAsyncKeyState.USER32(00000011), ref: 0082A120
GetKeyState.USER32(00000011), ref: 0082A12E
GetAsyncKeyState.USER32(00000012), ref: 0082A157
GetKeyState.USER32(00000012), ref: 0082A165
GetAsyncKeyState.USER32(0000005B), ref: 0082A18E
GetKeyState.USER32(0000005B), ref: 0082A19C

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6e313eb1780e3227169e5972a6abae50c9895c364d2b15760000e441623fb5b4
Instruction ID: 818fd8c0a4b4bb334d3e845b33a6f44fa89cf679a63dbe08e28b792c19524bf3
Opcode Fuzzy Hash: 6e313eb1780e3227169e5972a6abae50c9895c364d2b15760000e441623fb5b4
Instruction Fuzzy Hash: 1C510B205047A86AFB39DBA4A9107EABFF4FF11350F084599D5C2D71C2DA649ACCCB63

Function 00825CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00825CE2
GetWindowRect.USER32(00000000,?), ref: 00825CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00825D59
GetDlgItem.USER32(?,00000002), ref: 00825D69
GetWindowRect.USER32(00000000,?), ref: 00825D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00825DCF
GetDlgItem.USER32(?,000003E9), ref: 00825DDD
GetWindowRect.USER32(00000000,?), ref: 00825DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00825E31
GetDlgItem.USER32(?,000003EA), ref: 00825E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00825E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00825E67

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e60f5b204fa3bc6f7c361c2a2b9c15a1571896c9e5d4a240d00f31af1a96171f
Instruction ID: a825481e42e4ee0583d0b35df4a1637e335da7e1a8ed97395723ffe22a448f53
Opcode Fuzzy Hash: e60f5b204fa3bc6f7c361c2a2b9c15a1571896c9e5d4a240d00f31af1a96171f
Instruction Fuzzy Hash: 5D511C71A40719AFDF18CF68DD89AAEBBB5FB48301F108129F915E6290D774AE40CF50

Function 007D8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D8BE8,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 007D8FC5

DestroyWindow.USER32(?), ref: 007D8C81
KillTimer.USER32(00000000,?,?,?,?,007D8BBA,00000000,?), ref: 007D8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00816973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 008169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 008169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,007D8BBA,00000000), ref: 008169D4
DeleteObject.GDI32(00000000), ref: 008169E6

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 924c510b89e18d7630f5885df56e2fe598f5fa2cd97d91a417e3eca4dfac5c4a
Instruction ID: 66c070590683f01a8e02922216fd15755c2179afa99ddbf1d4ee31971ad0d14b
Opcode Fuzzy Hash: 924c510b89e18d7630f5885df56e2fe598f5fa2cd97d91a417e3eca4dfac5c4a
Instruction Fuzzy Hash: B961BE30116711DFCF61AF18D948B69BBF5FF40312F18455EE0869AAA0CB39A8D0CF62

Function 007D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952

GetSysColor.USER32(0000000F), ref: 007D9862

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8354f674605d4d9aaa764e2e003c6cf41fb3118096b32c4a92bb75686c21ba59
Instruction ID: 89a8da4ea17af5fba55641aa0171cca1bb136aaf8ef594253daf6327f1eeacc0
Opcode Fuzzy Hash: 8354f674605d4d9aaa764e2e003c6cf41fb3118096b32c4a92bb75686c21ba59
Instruction Fuzzy Hash: 714173311447449FDB205F389C88BB93B75FB46771F14461AFAA2872E1D7399D41EB10

Function 007F8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.~, xrefs: 007F903A, 007F8FD0, 007F8FF2

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID: .~
API String ID: 0-505086709
Opcode ID: 14a0eeb3614ff5dd77136993b0d492b03b5b7075fc5c244b492a28218ca35f44
Instruction ID: 0a6a9fad284a35817a476b5e280936ea8de0462b85be011fc2c4508798c73d06
Opcode Fuzzy Hash: 14a0eeb3614ff5dd77136993b0d492b03b5b7075fc5c244b492a28218ca35f44
Instruction Fuzzy Hash: 84C1D37590424EEFCB11EFA9D845BBDBBB4BF09310F084059E714A7392CB399941CB61

Function 008296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0080F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00829717
LoadStringW.USER32(00000000,?,0080F7F8,00000001), ref: 00829720

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0080F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00829742
LoadStringW.USER32(00000000,?,0080F7F8,00000001), ref: 00829745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00829866

Strings

^ ERROR, xrefs: 008297FB
Line %d (File "%s"):, xrefs: 0082978F
Line %d:, xrefs: 008297A0
%s (%d) : ==> %s: %s %s, xrefs: 0082984A
Error: , xrefs: 0082981D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 46368d359991ff8bf58532c44a7f40bd333f8994475d1ace1853d870ed6062a7
Instruction ID: a63d61bb1e4dcbf13ddcc244630ff7125b06ecf622f86473747527d33cfa57a2
Opcode Fuzzy Hash: 46368d359991ff8bf58532c44a7f40bd333f8994475d1ace1853d870ed6062a7
Instruction Fuzzy Hash: 13412072900219AADB14FBE0DD4AEEEB778FF15340F10016DF605B2192EA396F58CB61

Function 008206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00820804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0082082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00820837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0082083C

Strings

SOFTWARE\Classes\, xrefs: 0082070E
\IPC$, xrefs: 00820784
\CLSID, xrefs: 00820724

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: fefe9afe509ce04db1dfcaa396debbf837e1e0f9c8d201ba045034de2f11b93c
Instruction ID: 277844d0c6a75b7824f6206a978221fa0e9c68246054ac012ee4004225347a27
Opcode Fuzzy Hash: fefe9afe509ce04db1dfcaa396debbf837e1e0f9c8d201ba045034de2f11b93c
Instruction Fuzzy Hash: 9B41E572C10629EBDF11EBA4EC89DEEB778FF04350B144129E915A31A1EB349E44CF90

Function 00853F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0085403B
CreateCompatibleDC.GDI32(00000000), ref: 00854042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00854055
SelectObject.GDI32(00000000,00000000), ref: 0085405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00854068
DeleteDC.GDI32(00000000), ref: 00854072
GetWindowLongW.USER32(?,000000EC), ref: 0085407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00854092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0085409E

Strings

static, xrefs: 00853FD3

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 52be2c52a384d9d24e2063906ceabfc2090658822f24ae20d2f8b8ade990146d
Instruction ID: a3edc002c633b20db73ad8b2ccfb41aaf2f830e39936292eece57b219c46d82a
Opcode Fuzzy Hash: 52be2c52a384d9d24e2063906ceabfc2090658822f24ae20d2f8b8ade990146d
Instruction Fuzzy Hash: 74315832540719AFDF229FA8CC48FDA3BA9FF09366F100215FA19E61A0D779D854DB60

Function 00843C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00843C5C
CoInitialize.OLE32(00000000), ref: 00843C8A
CoUninitialize.OLE32 ref: 00843C94
_wcslen.LIBCMT ref: 00843D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00843DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00843ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00843F0E
CoGetObject.OLE32(?,00000000,0085FB98,?), ref: 00843F2D
SetErrorMode.KERNEL32(00000000), ref: 00843F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00843FC4
VariantClear.OLEAUT32(?), ref: 00843FD8

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: b9928ea1d35e83802f28362078610ce62c7508060c525350fb870e8d5dd73388
Instruction ID: 10ed1c152e1e8150ef98d16cf97f3e01085463f68055e0b426330cd43389dd55
Opcode Fuzzy Hash: b9928ea1d35e83802f28362078610ce62c7508060c525350fb870e8d5dd73388
Instruction Fuzzy Hash: 94C10271608309AFD700DF68C884A2AB7E9FF89748F10491DF98ADB251DB31EE05CB52

Function 00837A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00837AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00837B8F
SHGetDesktopFolder.SHELL32(?), ref: 00837BA3
CoCreateInstance.OLE32(0085FD08,00000000,00000001,00886E6C,?), ref: 00837BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00837C74
CoTaskMemFree.OLE32(?,?), ref: 00837CCC
SHBrowseForFolderW.SHELL32(?), ref: 00837D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00837D7A
CoTaskMemFree.OLE32(00000000), ref: 00837D81
CoTaskMemFree.OLE32(00000000), ref: 00837DD6
CoUninitialize.OLE32 ref: 00837DDC

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 059190fe67f7c91d2edceee5378a1fe6e825b555440d9284d5abbb41155d1a37
Instruction ID: 45703d74833cb90b1a4e78e3331c85caeaaef3ae057fe053bfb3d7d3b36dc2f1
Opcode Fuzzy Hash: 059190fe67f7c91d2edceee5378a1fe6e825b555440d9284d5abbb41155d1a37
Instruction Fuzzy Hash: CFC1F975A04209AFCB14DF64C888DAEBBF9FF48314F1484A9E915DB261D734ED45CB90

Function 0085541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00855504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00855515
CharNextW.USER32(00000158), ref: 00855544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00855585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0085559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008555AC

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 47b9eb042593ba04f8ad3881938046bac9bf856324bf3471141dac6cee42f93b
Instruction ID: ce0baee2529dc9f555b080a54a6cda9198babec5c233fa2831781b2c68e1b0f9
Opcode Fuzzy Hash: 47b9eb042593ba04f8ad3881938046bac9bf856324bf3471141dac6cee42f93b
Instruction Fuzzy Hash: 4861BE74904608EFDF109F94DC94AFE7BB9FB09326F104049F925E7290D7388A88DB60

Function 0081FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0081FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0081FB08
VariantInit.OLEAUT32(?), ref: 0081FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0081FB3A
VariantCopy.OLEAUT32(?,?), ref: 0081FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0081FBA1
VariantClear.OLEAUT32(?), ref: 0081FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0081FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0081FBCC
VariantClear.OLEAUT32(?), ref: 0081FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0081FBE9

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 999acc51bacd6e7522329eeb7053191a2890ca53bdcef62dc5dadbf4833e0d4e
Instruction ID: cf4e7148e3654ce18ab9b46974321c116c9a5858023687b3b6937a2853979c83
Opcode Fuzzy Hash: 999acc51bacd6e7522329eeb7053191a2890ca53bdcef62dc5dadbf4833e0d4e
Instruction Fuzzy Hash: AE413075A00219DFCB00DF68C858DEDBBB9FF48355F008069E955E7262C734A946CFA0

Function 00829C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00829CA1
GetAsyncKeyState.USER32(000000A0), ref: 00829D22
GetKeyState.USER32(000000A0), ref: 00829D3D
GetAsyncKeyState.USER32(000000A1), ref: 00829D57
GetKeyState.USER32(000000A1), ref: 00829D6C
GetAsyncKeyState.USER32(00000011), ref: 00829D84
GetKeyState.USER32(00000011), ref: 00829D96
GetAsyncKeyState.USER32(00000012), ref: 00829DAE
GetKeyState.USER32(00000012), ref: 00829DC0
GetAsyncKeyState.USER32(0000005B), ref: 00829DD8
GetKeyState.USER32(0000005B), ref: 00829DEA

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4495177f3da183ba72ff16683d249c37b8d727e7d6b8a96bb66909db7a7a9e5c
Instruction ID: 58ce416ef76860571ea2aabbdc67a421fa7e25b5264796330d426ef78be52059
Opcode Fuzzy Hash: 4495177f3da183ba72ff16683d249c37b8d727e7d6b8a96bb66909db7a7a9e5c
Instruction Fuzzy Hash: 4641D6345047D96DFF308664E8043B5BEE0FF11344F04805EDAC6965C2EBE499C8DBA2

Function 0084055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008405BC
inet_addr.WSOCK32(?), ref: 0084061C
gethostbyname.WSOCK32(?), ref: 00840628
IcmpCreateFile.IPHLPAPI ref: 00840636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008407B9
WSACleanup.WSOCK32 ref: 008407BF

Strings

Ping, xrefs: 00840676

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 603adfd17cea1fbca9eb0bda58e087b1944c414fdbdef742629afda2855b7b84
Instruction ID: 679abf5bfe679ffc303341b132986380dab7af22b02d539f9e44e502d5ff3876
Opcode Fuzzy Hash: 603adfd17cea1fbca9eb0bda58e087b1944c414fdbdef742629afda2855b7b84
Instruction Fuzzy Hash: 8E9157356043059FD320DF15C889F1ABBE0FB88318F1585A9E66ADB6A2C735ED41CF92

Function 00848CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00848CF3

Part of subcall function 00828E54: _wcslen.LIBCMT ref: 00828E77

_wcslen.LIBCMT ref: 00848D4E
_wcslen.LIBCMT ref: 00848D9C
_wcslen.LIBCMT ref: 00848DDC
_wcslen.LIBCMT ref: 00848E6E

Strings

winapi, xrefs: 00848D96, 00848D9B
none, xrefs: 00848E65, 00848E6A
cdecl, xrefs: 00848D48, 00848D4D
stdcall, xrefs: 00848DD6, 00848DDB

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: ab5ca4eb60bf2e9c477cf90e91529d65e130be5c818d4dfd095efff00a6fe6f1
Instruction ID: cac2f49caa7152924ea0bd40af5d7af20fe5438fc059fd7dea5e2ac9f15f188e
Opcode Fuzzy Hash: ab5ca4eb60bf2e9c477cf90e91529d65e130be5c818d4dfd095efff00a6fe6f1
Instruction Fuzzy Hash: E6519031A0111ADBCF24EFACC9409BEB7A5FF64724B214229E926E72C5EB35DD40C790

Function 0084372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00843774
CoUninitialize.OLE32 ref: 0084377F
CoCreateInstance.OLE32(?,00000000,00000017,0085FB78,?), ref: 008437D9
IIDFromString.OLE32(?,?), ref: 0084384C
VariantInit.OLEAUT32(?), ref: 008438E4
VariantClear.OLEAUT32(?), ref: 00843936

Strings

Invalid parameter, xrefs: 00843865
NULL Pointer assignment, xrefs: 0084381E
Failed to create object, xrefs: 008437E4, 0084389A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: aeb995adcbeb73302d1a8a1b71bb5288492ca255acfaac6daf2772b776784cc6
Instruction ID: 3abb555afe6fdc8937a07397e016269bd4f1e5401c81806859e4ea36363c6c67
Opcode Fuzzy Hash: aeb995adcbeb73302d1a8a1b71bb5288492ca255acfaac6daf2772b776784cc6
Instruction Fuzzy Hash: 7F616AB0608315AFD310DF54C889B6ABBE8FF49715F100829F995DB291D774EE48CB92

Function 00833388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008333CF

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008333F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00833504
Line %d (File "%s"):, xrefs: 00833443, 0083345C
"%s" (%d) : ==> %s:, xrefs: 00833522
Incorrect parameters to object property !, xrefs: 008334AB
^ ERROR , xrefs: 0083349E
Error: , xrefs: 008334D1

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 8c11d9549bd51f87184d04dc85ccb752c26af71e6ca54eeb460480ca885648c8
Instruction ID: abd8cabedb6422c54157ca4a478dbdcfe090c768ebcdebc30cdddb9f1a2ff19e
Opcode Fuzzy Hash: 8c11d9549bd51f87184d04dc85ccb752c26af71e6ca54eeb460480ca885648c8
Instruction Fuzzy Hash: A951BE3190020AEADF14EBA0DD4AEEEB7B8FF14340F104169F505B2192EB392F58DB61

Function 0082B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0082B5FC
_wcslen.LIBCMT ref: 0082B608
_wcslen.LIBCMT ref: 0082B64D
_wcslen.LIBCMT ref: 0082B68C
_wcslen.LIBCMT ref: 0082B6C7

Strings

KEYS, xrefs: 0082B647, 0082B64C
EXISTS, xrefs: 0082B686, 0082B68B
APPEND, xrefs: 0082B6C1, 0082B6C6
REMOVE, xrefs: 0082B602, 0082B607

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 63b35fbdc7f8c79a3abf3c88ceb918a9d51fc2079d64b42445433dc9eb5f6824
Instruction ID: 4af1de377458b904db5fb1ee7578e6c1d393765d68e8528c99939f7488ec2bb3
Opcode Fuzzy Hash: 63b35fbdc7f8c79a3abf3c88ceb918a9d51fc2079d64b42445433dc9eb5f6824
Instruction Fuzzy Hash: B741A532A021369BCB206FBD98905BE77A5FB70758B244229E562D7284F735CDC1C790

Function 00835393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00835416
GetLastError.KERNEL32 ref: 00835420
SetErrorMode.KERNEL32(00000000,READY), ref: 008354A7

Strings

READONLY, xrefs: 00835452
UNKNOWN, xrefs: 00835444
INVALID, xrefs: 00835459
READY, xrefs: 00835460, 00835468
NOTREADY, xrefs: 0083544B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 5e1b3656d63530f551a156777de2e7aa76b694ba14acd260c30c022279b63cda
Instruction ID: 1c6a831d21927122c3cae6bc8082f60cf8a9117d572e8f6e9990cf660a6c1cf8
Opcode Fuzzy Hash: 5e1b3656d63530f551a156777de2e7aa76b694ba14acd260c30c022279b63cda
Instruction Fuzzy Hash: 523180B5A006089FC714DF68C488FAABBB4FF85309F148069E905DB292E775DD86CBD1

Function 00853C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00853C79
SetMenu.USER32(?,00000000), ref: 00853C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00853D10
IsMenu.USER32(?), ref: 00853D24
CreatePopupMenu.USER32 ref: 00853D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00853D5B
DrawMenuBar.USER32 ref: 00853D63

Strings

F, xrefs: 00853D4E
0, xrefs: 00853C54

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 887ae02a88bd71a121b2cff82650506b25d3eefca3231ebff1208438bbfc3c69
Instruction ID: 5b634b9ff1332377d7e3c97e6f8531e1a76c1122273166e9f8dd85372b5f997e
Opcode Fuzzy Hash: 887ae02a88bd71a121b2cff82650506b25d3eefca3231ebff1208438bbfc3c69
Instruction Fuzzy Hash: 82415775A01309EFDB14CFA4D844BAABBB5FF49392F140029ED46A7360D734AA18CF90

Function 00821EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00821F64
GetDlgCtrlID.USER32 ref: 00821F6F
GetParent.USER32 ref: 00821F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00821F8E
GetDlgCtrlID.USER32(?), ref: 00821F97
GetParent.USER32(?), ref: 00821FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00821FAE

Strings

ListBox, xrefs: 00821F21
ComboBox, xrefs: 00821EEC

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: c00da9a20fbe483b967b40e87321349413e794f207e18e80062d5e33f3539c5b
Instruction ID: 566f2b534bc7bfec6d9b8a9c1a8aa497066bb24dcefce2a3dafffbb5539ac9d5
Opcode Fuzzy Hash: c00da9a20fbe483b967b40e87321349413e794f207e18e80062d5e33f3539c5b
Instruction Fuzzy Hash: 2A21C570A00214BFCF04AFA0DC59EEEBBB5FF25310B100119F961A7291DB385A54DB60

Function 00821FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00822043
GetDlgCtrlID.USER32 ref: 0082204E
GetParent.USER32 ref: 0082206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0082206D
GetDlgCtrlID.USER32(?), ref: 00822076
GetParent.USER32(?), ref: 0082208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0082208D

Strings

ListBox, xrefs: 00822002
ComboBox, xrefs: 00821FCD

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: a1618488a314bd86871d25900e92c610f01c59b3e08b0e9e6b1cc69d038bb77a
Instruction ID: 8808a861568103791829e7c0af6e4f5a0b38f42f6c702578ee4f33d5ea929a69
Opcode Fuzzy Hash: a1618488a314bd86871d25900e92c610f01c59b3e08b0e9e6b1cc69d038bb77a
Instruction Fuzzy Hash: 7A21C271900218BFCF10AFA0DC49EEEBBB8FF15300F000419B951A72A1DB795954DB60

Function 00853A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00853A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00853AA0
GetWindowLongW.USER32(?,000000F0), ref: 00853AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00853AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00853B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00853BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00853BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00853BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00853BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00853C13

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 234ab90af00932a804482343aef1084e8fe9ae74e39771d01afef405a77df36c
Instruction ID: 39c229bde0c697f8fb87be3bc3fbbd7d2b035bc408bf926c02d46fcaf21aa115
Opcode Fuzzy Hash: 234ab90af00932a804482343aef1084e8fe9ae74e39771d01afef405a77df36c
Instruction Fuzzy Hash: 1E617875A00208AFDB11DFA8CC85EEEB7B8FB09750F14409AFA15E72A1C774AE45DB50

Function 0082B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0082B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B165
GetWindowThreadProcessId.USER32(00000000), ref: 0082B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0082B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B21D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6f5ca538e1c18e2d5d56aa47f4ff50773ebfaefa1df3285ba931a4293339c1a7
Instruction ID: 3fbca6b2dc2f573d0c75c1525bed491b914aa24aad457baf715d49fd1b3ff6f5
Opcode Fuzzy Hash: 6f5ca538e1c18e2d5d56aa47f4ff50773ebfaefa1df3285ba931a4293339c1a7
Instruction Fuzzy Hash: A63189B5511714EFDB10AF64EC48B6E7BA9FB61312F14400AFA02D6191D7B89A80CF64

Function 007F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007F2C94

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007F2CA0
_free.LIBCMT ref: 007F2CAB
_free.LIBCMT ref: 007F2CB6
_free.LIBCMT ref: 007F2CC1
_free.LIBCMT ref: 007F2CCC
_free.LIBCMT ref: 007F2CD7
_free.LIBCMT ref: 007F2CE2
_free.LIBCMT ref: 007F2CED
_free.LIBCMT ref: 007F2CFB

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7b75c0e7b2429211e8078bde9c561d54c2d89f3ec88833cdb2bd27df62978d69
Instruction ID: 148bf57f52749e1f80555ee72404c39cbf539e99d82ee78528d34da244b03d05
Opcode Fuzzy Hash: 7b75c0e7b2429211e8078bde9c561d54c2d89f3ec88833cdb2bd27df62978d69
Instruction Fuzzy Hash: 5A11807614010DEFCB02EF94D886CAD3BA5BF05350F5144A5FA48AB332DA75EA519F90

Function 00837DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00837FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00837FC1
GetFileAttributesW.KERNEL32(?), ref: 00837FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00838005
SetCurrentDirectoryW.KERNEL32(?), ref: 00838017
SetCurrentDirectoryW.KERNEL32(?), ref: 00838060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008380B0

Strings

*.*, xrefs: 00838066

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: e8ec9025c627e1b97cae3c6a3010e9143f9517a67ec349d198c5e5cc35674310
Instruction ID: 18ea1dee8fadd51b538f60904bdd7673d6c1bf29969d97ac1c4da601d3e05785
Opcode Fuzzy Hash: e8ec9025c627e1b97cae3c6a3010e9143f9517a67ec349d198c5e5cc35674310
Instruction Fuzzy Hash: 75817DB2508345DBCB34EF14C894AAAB3E8FBC8714F14486EF885D7250EB79DD458B92

Function 007C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 007C5C7A

Part of subcall function 007C5D0A: GetClientRect.USER32(?,?), ref: 007C5D30
Part of subcall function 007C5D0A: GetWindowRect.USER32(?,?), ref: 007C5D71
Part of subcall function 007C5D0A: ScreenToClient.USER32(?,?), ref: 007C5D99

GetDC.USER32 ref: 008046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00804708
SelectObject.GDI32(00000000,00000000), ref: 00804716
SelectObject.GDI32(00000000,00000000), ref: 0080472B
ReleaseDC.USER32(?,00000000), ref: 00804733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008047C4

Strings

U, xrefs: 00804693

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: cfd3eb0f1f8b6aa1d693881df3a001e3861b63f9482b759d13e9408ee52497e2
Instruction ID: ce6abef5fbf266bc86b5a3458114e8310efb7b12000445c9182520b3e11f88a4
Opcode Fuzzy Hash: cfd3eb0f1f8b6aa1d693881df3a001e3861b63f9482b759d13e9408ee52497e2
Instruction Fuzzy Hash: DF71F170500209DFCF618F64CD84EBA3BB1FF4A315F185269EE519A2A6D7369881DF60

Function 0083359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008335E4

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

LoadStringW.USER32(00892390,?,00000FFF,?), ref: 0083360A

Strings

^ ERROR, xrefs: 008336C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00833724
Line %d (File "%s"):, xrefs: 0083366B
"%s" (%d) : ==> %s:, xrefs: 00833742
Error: , xrefs: 008336EF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: ecee116e0739371d9298d38b3b360d59f6b16837960df311462c52e91b943f6f
Instruction ID: ad8d2e08a3e4e001e93e7c25c4fb0c91338eff452f960f4ecd1827d2dde71829
Opcode Fuzzy Hash: ecee116e0739371d9298d38b3b360d59f6b16837960df311462c52e91b943f6f
Instruction Fuzzy Hash: DF516D7190021AFADF14EBA0DC4AEEDBB78FF14340F144129F515B21A1EB381A98DFA1

Function 0083C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0083C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0083C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0083C2CA
GetLastError.KERNEL32 ref: 0083C322
SetEvent.KERNEL32(?), ref: 0083C336
InternetCloseHandle.WININET(00000000), ref: 0083C341

Strings

, xrefs: 0083C2BB

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 62069151e0132c7c2778360bfa362ffcb3f4d01cfb748e1ef172c66bccae6949
Instruction ID: 6412d31e1343938fdaabcf3b6f47eeed56a73ad4d9907122ef4fa7cea6b2ea44
Opcode Fuzzy Hash: 62069151e0132c7c2778360bfa362ffcb3f4d01cfb748e1ef172c66bccae6949
Instruction Fuzzy Hash: 52314DB1600708AFDB219F65DC88AAB7BFCFB89745F14851DF446E6200DB34DD059BA1

Function 0082989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00803AAF,?,?,Bad directive syntax error,0085CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008298BC
LoadStringW.USER32(00000000,?,00803AAF,?), ref: 008298C3

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00829987

Strings

Line %d (File "%s"):, xrefs: 0082992D
%s (%d) : ==> %s.: %s %s, xrefs: 008298F1
Error: , xrefs: 00829955
Line %d:, xrefs: 00829912
., xrefs: 0082996D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 1f1a3fba22dcf1b714b8bdf5cc9490acbec906fc5dbd901f3c6d2856531527e2
Instruction ID: ec59cfcd30ed32bce4f2491fa1bd39d6a9e0e23edde665cbc686ab7efa9a5cf8
Opcode Fuzzy Hash: 1f1a3fba22dcf1b714b8bdf5cc9490acbec906fc5dbd901f3c6d2856531527e2
Instruction Fuzzy Hash: AF21803190031AEBCF11AF90DC0AEEE7779FF18304F04445EF529A61A2EB399668CB11

Function 0082209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0082214D

Strings

list, xrefs: 0082212F
smallicons, xrefs: 00822115
SHELLDLL_DefView, xrefs: 008220CC
largeicons, xrefs: 008220E1
details, xrefs: 008220FB

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a9f5a792dc54f11396f29cd57d1abb4f5c0dd6c7534b22e965e57d3e19e56493
Instruction ID: 457452c497638deedea74084079feb82a7b57569c9a3c097be2f8d19aad2ccb1
Opcode Fuzzy Hash: a9f5a792dc54f11396f29cd57d1abb4f5c0dd6c7534b22e965e57d3e19e56493
Instruction Fuzzy Hash: 8211277A684716F9F6012221AC0ACE637DCFF18334B200026F704E40D1FF6978A15618

Function 007FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 007FCEB7
_free.LIBCMT ref: 007FCF22
_free.LIBCMT ref: 007FCF48
_free.LIBCMT ref: 007FCF71
_free.LIBCMT ref: 007FCFA9
_free.LIBCMT ref: 007FCFDA
_free.LIBCMT ref: 007FD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 007FD09C
_free.LIBCMT ref: 007FD0B5

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 3e275494792d96a89074c2d0fae218661fc0ea0fbb121ea7901a00fa06c4b27b
Instruction ID: c5f044e4c979612d5c0d8d6c691afa57c06959d708f898b73044ebe8bcbe0b89
Opcode Fuzzy Hash: 3e275494792d96a89074c2d0fae218661fc0ea0fbb121ea7901a00fa06c4b27b
Instruction Fuzzy Hash: 8361287290430DAFDB22AFB49949679BBE5EF05320F04426EFB41A7382D63D9D019B50

Function 008550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00855186
ShowWindow.USER32(?,00000000), ref: 008551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008551D1

Part of subcall function 00856FBA: DeleteObject.GDI32(00000000), ref: 00856FE6

GetWindowLongW.USER32(?,000000F0), ref: 0085520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0085521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0085524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00855287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00855296

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 33117f2f06b6a3353abfc608c49c1a3258bf50d33af087dc2f586768ece78ee8
Instruction ID: 18ca3a688ade054c403ff73cb2f014919265f0ba615df94e765a9b297b104c4b
Opcode Fuzzy Hash: 33117f2f06b6a3353abfc608c49c1a3258bf50d33af087dc2f586768ece78ee8
Instruction Fuzzy Hash: 4C518F30A90A09BEEF209F24CC69B983BA5FB05367F144016FE15D66E0C775A988DF41

Function 007D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00816890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00816901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0081691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,007D8874,00000000,00000000,00000000,000000FF,00000000), ref: 0081692D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 6f58edd349530dc4748dd7c2b5755c61b182fa7bd101d4cd3cd32b1d25c521ea
Instruction ID: 35a7f22effe271234a2e4a27f2b0d7205f7cd8c0b0e06e82e41cf8501165d792
Opcode Fuzzy Hash: 6f58edd349530dc4748dd7c2b5755c61b182fa7bd101d4cd3cd32b1d25c521ea
Instruction Fuzzy Hash: 69518AB0600305EFDB20DF28CC95FAA7BB5FF48351F14452AF956D62A0EB74A990DB50

Function 0083C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0083C182
GetLastError.KERNEL32 ref: 0083C195
SetEvent.KERNEL32(?), ref: 0083C1A9

Part of subcall function 0083C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0083C272
Part of subcall function 0083C253: GetLastError.KERNEL32 ref: 0083C322
Part of subcall function 0083C253: SetEvent.KERNEL32(?), ref: 0083C336
Part of subcall function 0083C253: InternetCloseHandle.WININET(00000000), ref: 0083C341

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 3c5f5ce8dcd88b892bae7295606955a3dae050b54e8220e570441d1ca6d32710
Instruction ID: 55a03792e8d970f7e1cb8b637689345fc726e385bf9329e2c6fdd7acb07f66be
Opcode Fuzzy Hash: 3c5f5ce8dcd88b892bae7295606955a3dae050b54e8220e570441d1ca6d32710
Instruction Fuzzy Hash: CC317871200705AFDB219FA9DC44A6BBBE9FF98301F00442DF956E6610DB34E814EFA0

Function 008225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00823A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00823A57
Part of subcall function 00823A3D: GetCurrentThreadId.KERNEL32 ref: 00823A5E
Part of subcall function 00823A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008225B3), ref: 00823A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00822601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00822605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0082260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00822623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00822627

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f3729a2411a822b5660c9290ac5975a35eb63dbe1e2289509019801618d7d5ee
Instruction ID: aadd33f229d9ee95b329cb83597e25192174aed9aff3668e8486854835b64916
Opcode Fuzzy Hash: f3729a2411a822b5660c9290ac5975a35eb63dbe1e2289509019801618d7d5ee
Instruction Fuzzy Hash: AE01D431390724BBFB1067689C8AF593F99FB5EB12F100016F318EE1D1C9E624848E6A

Function 00821803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00821449,?,?,00000000), ref: 0082180C
HeapAlloc.KERNEL32(00000000,?,00821449,?,?,00000000), ref: 00821813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00821449,?,?,00000000), ref: 00821828
GetCurrentProcess.KERNEL32(?,00000000,?,00821449,?,?,00000000), ref: 00821830
DuplicateHandle.KERNEL32(00000000,?,00821449,?,?,00000000), ref: 00821833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00821449,?,?,00000000), ref: 00821843
GetCurrentProcess.KERNEL32(00821449,00000000,?,00821449,?,?,00000000), ref: 0082184B
DuplicateHandle.KERNEL32(00000000,?,00821449,?,?,00000000), ref: 0082184E
CreateThread.KERNEL32(00000000,00000000,00821874,00000000,00000000,00000000), ref: 00821868

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 21d88d27ecd1774a3c9566dddd3e4035c028c4a0abdc300d2e6ac9c4a8c947a1
Instruction ID: c9b630d17981d7986f3ee78d21fa1528d1a997e1db6ebe5b7e38d34d8272e93c
Opcode Fuzzy Hash: 21d88d27ecd1774a3c9566dddd3e4035c028c4a0abdc300d2e6ac9c4a8c947a1
Instruction Fuzzy Hash: 9101A8B5680708BFEA10ABA5DC4DF6B7BACFB89B11F404411FA05DB2A1CA749844CF20

Function 007F3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 007F3F0B
__alldvrm.LIBCMT ref: 007F410C
__alldvrm.LIBCMT ref: 007F412E

Strings

}}~, xrefs: 007F3E96, 007F3EF1, 007F3F0A, 007F4090
}}~, xrefs: 007F40CD
}}~, xrefs: 007F3E8A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}~$}}~$}}~
API String ID: 1036877536-980401515
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: a83b395225473955e3d6d073bf53ac8486c36a11e46acbf9b6e35fe3aeecbd3d
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 60A12672E0028E9FEB25CE18C8917BFBBE4EF65350F1441ADE6959B382D63C8981C751

Function 0084A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0082D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0082D501
Part of subcall function 0082D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0082D50F
Part of subcall function 0082D4DC: CloseHandle.KERNELBASE(00000000), ref: 0082D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084A16D
GetLastError.KERNEL32 ref: 0084A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0084A268
GetLastError.KERNEL32(00000000), ref: 0084A273
CloseHandle.KERNEL32(00000000), ref: 0084A2C4

Strings

SeDebugPrivilege, xrefs: 0084A18F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3d50e788c1d241437e0306e1f1a0f049242570a791d93239aac55aa6f36ccab7
Instruction ID: eb6881e024c5b5ab7fe1706f7e8a1a05c455af64474c84fd168dcbb4e315c2f8
Opcode Fuzzy Hash: 3d50e788c1d241437e0306e1f1a0f049242570a791d93239aac55aa6f36ccab7
Instruction Fuzzy Hash: DD617B312442569FD724DF18C498F2ABBA1FF54318F18848CE4668F7A2C7B6ED45CB92

Function 00853886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00853925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0085393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00853954
_wcslen.LIBCMT ref: 00853999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008539F4

Strings

SysListView32, xrefs: 008538F7

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b142457c139606c6a6d2d2ea0a80a6bf664eb0ea376de8e8074874bbc543a112
Instruction ID: cd63969a9a7897e7bf89b5248c65ba31ff5ede642a17bae90bea9d0bfb493fb5
Opcode Fuzzy Hash: b142457c139606c6a6d2d2ea0a80a6bf664eb0ea376de8e8074874bbc543a112
Instruction Fuzzy Hash: 21419571A00319ABEF219F64CC49FEA7BA9FF08395F10052AF954E7281D7759E84CB90

Function 0082BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0082BCFD
IsMenu.USER32(00000000), ref: 0082BD1D
CreatePopupMenu.USER32 ref: 0082BD53
GetMenuItemCount.USER32(01345618), ref: 0082BDA4
InsertMenuItemW.USER32(01345618,?,00000001,00000030), ref: 0082BDCC

Strings

0, xrefs: 0082BCA8
2, xrefs: 0082BD37

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f82b0dd104e58dfa16f17663b70b7898024c85092ba4fa8c7d1fbc892f06d1dd
Instruction ID: de5a772d43b379bae56b7f94c523db56320e00e86f5ed700f302b2e3eb224c78
Opcode Fuzzy Hash: f82b0dd104e58dfa16f17663b70b7898024c85092ba4fa8c7d1fbc892f06d1dd
Instruction Fuzzy Hash: BD51AD70A02329ABDB10CFA8E888BEEBBF4FF45354F148159E851D72D1E7749981CB61

Function 007E2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 007E2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 007E2D53
_ValidateLocalCookies.LIBCMT ref: 007E2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 007E2E0C
_ValidateLocalCookies.LIBCMT ref: 007E2E61

Strings

&H~, xrefs: 007E2DFE, 007E2E07, 007E2E18
csm, xrefs: 007E2DF6

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H~$csm
API String ID: 1170836740-3418752573
Opcode ID: c887d400749ae42c76fbd2a13e09c8f693649b1686cb1ccf9b9b6a8468c5c748
Instruction ID: d0d074d5457f3f40d52769fed0f9e79a1335d4f8535167e878daac8cc9d822c1
Opcode Fuzzy Hash: c887d400749ae42c76fbd2a13e09c8f693649b1686cb1ccf9b9b6a8468c5c748
Instruction Fuzzy Hash: CE41A934E02249EBCF10DF59CC49A9EBBB9BF48314F148155E9149B353D7799A12CB90

Function 0082C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0082C913

Strings

warning, xrefs: 0082C8FC
stop, xrefs: 0082C8E4
question, xrefs: 0082C8CC
blank, xrefs: 0082C895
info, xrefs: 0082C8B4

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 0a87fa9c2af5e981d1ae4a9c41bbbb56ffa1539d5d091f14587f66eeffc7ca9d
Instruction ID: 72d82e15cff4d987e9a9eb35d4323dcf661ae38b10df57d546cd7a208b041e17
Opcode Fuzzy Hash: 0a87fa9c2af5e981d1ae4a9c41bbbb56ffa1539d5d091f14587f66eeffc7ca9d
Instruction Fuzzy Hash: 26112E3168931ABAE7006B54AC82CBE2B9CFF15324B50403AF500E6281E7A85DC05768

Function 0082DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0082DE42
gethostname.WSOCK32(?,00000100), ref: 0082DE5C
gethostbyname.WSOCK32(?), ref: 0082DE69
inet_ntoa.WSOCK32(?), ref: 0082DEAB
_strcat.LIBCMT ref: 0082DEB9
WSACleanup.WSOCK32 ref: 0082DEDE

Strings

0.0.0.0, xrefs: 0082DE87

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 84e4a7d1afa504b37e7d05a375726fd27daaa5033127ec5ffb1b8806b65b56fb
Instruction ID: 374c53dbccb141e0e47bca5ee0d0986e0abd7cdd1003c043b6f4acb88e568464
Opcode Fuzzy Hash: 84e4a7d1afa504b37e7d05a375726fd27daaa5033127ec5ffb1b8806b65b56fb
Instruction Fuzzy Hash: 1B110A75904318AFDB20BB64AC0ADEE7B6CFF18711F0101B9F445EA091EF789AC18A60

Function 00859F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

GetSystemMetrics.USER32(0000000F), ref: 00859FC7
GetSystemMetrics.USER32(0000000F), ref: 00859FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0085A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0085A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0085A263
ShowWindow.USER32(00000003,00000000), ref: 0085A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0085A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0085A2CA

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: cdfbac1703eb9f7f5e8c75176fddc226ef3123369eb8e87848a35b78807cac28
Instruction ID: 2b263212240770f56277c11ca1462b7495c771d799e3889619898d8ed954fbd2
Opcode Fuzzy Hash: cdfbac1703eb9f7f5e8c75176fddc226ef3123369eb8e87848a35b78807cac28
Instruction Fuzzy Hash: D2B17835600619DFDF18CF68C9C57AA7BB2FF48702F088169EC89EB295D731A948CB51

Function 0082ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0082ED2A
_wcslen.LIBCMT ref: 0082ED3B
_wcslen.LIBCMT ref: 0082ED79
_wcslen.LIBCMT ref: 0082EDAF
_wcslen.LIBCMT ref: 0082EDDF
_wcslen.LIBCMT ref: 0082EDEF
_wcslen.LIBCMT ref: 0082EE2B
_wcslen.LIBCMT ref: 0082EE5A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 0e78d5b186ef999d215e9c1f8564f774860e72f32d783fecbb2b65b12c7c2029
Instruction ID: 7f4806df5adaee17ab1fc8458681e8bf1a51d50b100a644447daaaabd71efa52
Opcode Fuzzy Hash: 0e78d5b186ef999d215e9c1f8564f774860e72f32d783fecbb2b65b12c7c2029
Instruction Fuzzy Hash: F1417266C11258B5CB11EBF5888E9CF77ACFF49710F504462E614E3122EB38E655C3E9

Function 007DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 007DF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 0081F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 0081F454

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5d780a9bbb6da38b4795f5aa586e4318f437b26760a907e593e278b97cc8f049
Instruction ID: a2eac427a6189a2d23532ce8322ffced11f0765e2d626d7494f752f314a3e708
Opcode Fuzzy Hash: 5d780a9bbb6da38b4795f5aa586e4318f437b26760a907e593e278b97cc8f049
Instruction Fuzzy Hash: 3A410870A08780BECB399B2D88A876A7AB5FF55314F14403EE18BD6761C639B8C0CB11

Function 00852D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00852D1B
GetDC.USER32(00000000), ref: 00852D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00852D2E
ReleaseDC.USER32(00000000,00000000), ref: 00852D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00852D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00852D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00855A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00852DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00852DE1

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 43ae84b9a0ef33d9f480f669aefe49aaa1e490f0b73ea10f39db50510924932a
Instruction ID: 465d927982271e0990244e69a0d33e4a28c51290bed385fb4df16cd2400b1a87
Opcode Fuzzy Hash: 43ae84b9a0ef33d9f480f669aefe49aaa1e490f0b73ea10f39db50510924932a
Instruction Fuzzy Hash: 60316B72201714BFEB118F548C8AFEB3FA9FB1A756F044055FE08DA291C6799C50CBA4

Function 00825622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00825637
_memcmp.LIBVCRUNTIME ref: 00825659
_memcmp.LIBVCRUNTIME ref: 00825671
_memcmp.LIBVCRUNTIME ref: 00825684
_memcmp.LIBVCRUNTIME ref: 0082569E
_memcmp.LIBVCRUNTIME ref: 008256B1
_memcmp.LIBVCRUNTIME ref: 008256C9
_memcmp.LIBVCRUNTIME ref: 008256E4

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1bc43a31db38b938d5118ffc1f2be9829304ac0af1234a49ead3301be2818235
Instruction ID: a538a66cb5c5f305e6b1a26f352b1248adce2ce722fa71f30ce33d0e3e3af508
Opcode Fuzzy Hash: 1bc43a31db38b938d5118ffc1f2be9829304ac0af1234a49ead3301be2818235
Instruction Fuzzy Hash: 5321B371AC2A69BBD2149525AE82FBB235CFF34395F840030FE05DA686F738ED5481A5

Function 00844FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0084502E, 00845383
Not an Object type, xrefs: 00845007

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 2b99fc7ffede0469337e864967f07a15f621e4064c34fab105a1f2db408046e4
Instruction ID: 9f11ed61effe3b1202cb7047dc3749c7ef5e5d2999bcd30fffd3d6591bbfc6b6
Opcode Fuzzy Hash: 2b99fc7ffede0469337e864967f07a15f621e4064c34fab105a1f2db408046e4
Instruction Fuzzy Hash: 99D18C75A0061EAFDB10CFA8C881BAEB7B5FF48344F148469E915EB282E771DD45CB90

Function 00801522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 008015CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00801651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008016E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008016FB

Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00801777
__freea.LIBCMT ref: 008017A2
__freea.LIBCMT ref: 008017AE

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 6340e59447d84d55aa3d9393bb76f65ac0c3860d81051305e6a9022f30376dd6
Instruction ID: bb0c76376fce074beb8107cf584df1b6695a30720795a44aae83973b680ad5b2
Opcode Fuzzy Hash: 6340e59447d84d55aa3d9393bb76f65ac0c3860d81051305e6a9022f30376dd6
Instruction Fuzzy Hash: 02919472E0021A9EDF608E64CC89AFE7BB5FF49724F184659E911EB2C5DB25DC40CB60

Function 00844523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00844648
VariantInit.OLEAUT32(?), ref: 00844749
VariantClear.OLEAUT32(?), ref: 00844753
VariantClear.OLEAUT32(?), ref: 008447B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 008445D8, 00844706, 008447BE
Incorrect Object type in FOR..IN loop, xrefs: 0084472C

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 139ad2e0283dc931a8b88d8c96db3352f2ceab1e03f65b290825dad567793b94
Instruction ID: 5498833e78a6addc9177ad3ab499107db2c898db1db8898972eca4d579306ca4
Opcode Fuzzy Hash: 139ad2e0283dc931a8b88d8c96db3352f2ceab1e03f65b290825dad567793b94
Instruction Fuzzy Hash: 80918971A0021DABDF20CFA4C888FAEBBB8FF46714F109559E515EB281D7749946CFA0

Function 00831187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0083125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00831284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0083135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00831430

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: a23838bb7f75a48bfbd6562bda8694b26f906296833ca976b356edda3c037942
Instruction ID: db9ad9cf690ed972d5f597f4c563a5db164328cda020265339807434eb02d3fc
Opcode Fuzzy Hash: a23838bb7f75a48bfbd6562bda8694b26f906296833ca976b356edda3c037942
Instruction Fuzzy Hash: 9191D271A002099FDF00DFA8C898BBEB7B5FF84B15F144429E911EB291DB78A941CBD5

Function 007D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9b9e114eb9db3d60655231bf17aaae27173a497d8c63be46c8a40e4df4e7dca3
Instruction ID: 61d866f9acd12799a97bf74b5ff5cbe1d245edc3120e3526c09602fadbf8fb3f
Opcode Fuzzy Hash: 9b9e114eb9db3d60655231bf17aaae27173a497d8c63be46c8a40e4df4e7dca3
Instruction Fuzzy Hash: 14912971D40219EFCB10CFA9CC88AEEBBB8FF49320F14455AE516B7291D378A951CB60

Function 00843947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0084396B
CharUpperBuffW.USER32(?,?), ref: 00843A7A
_wcslen.LIBCMT ref: 00843A8A
VariantClear.OLEAUT32(?), ref: 00843C1F

Part of subcall function 00830CDF: VariantInit.OLEAUT32(00000000), ref: 00830D1F
Part of subcall function 00830CDF: VariantCopy.OLEAUT32(?,?), ref: 00830D28
Part of subcall function 00830CDF: VariantClear.OLEAUT32(?), ref: 00830D34

Strings

AUTOIT.ERROR, xrefs: 00843A80, 00843A85
Incorrect Parameter format, xrefs: 008439A6, 00843BA1

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: cfd2d2616f658c1524ca117a0f78b4275e9f68386a68ce59d6f9757b2e7a725f
Instruction ID: e32b35823c0deebf4d2e883ffbf2b600287979f1dac293bcc334f990e347e6ed
Opcode Fuzzy Hash: cfd2d2616f658c1524ca117a0f78b4275e9f68386a68ce59d6f9757b2e7a725f
Instruction Fuzzy Hash: 139133746083099FC704EF28C48596AB7E5FF88314F14882EF88A9B351DB35EE45CB92

Function 00844BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0082000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?,?,0082035E), ref: 0082002B
Part of subcall function 0082000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820046
Part of subcall function 0082000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820054
Part of subcall function 0082000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?), ref: 00820064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00844C51
_wcslen.LIBCMT ref: 00844D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00844DCF
CoTaskMemFree.OLE32(?), ref: 00844DDA

Strings

NULL Pointer assignment, xrefs: 00844E23, 00844E52

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 07b0e55f923fe90e3b4606c5922d839fd81f9aa155096000c2e9026cedadecc5
Instruction ID: aa66dacace15bc8cb718323d6e8f127c38ea22e7319c9290ef5ec586c2490acc
Opcode Fuzzy Hash: 07b0e55f923fe90e3b4606c5922d839fd81f9aa155096000c2e9026cedadecc5
Instruction Fuzzy Hash: AC910171D0021DEFDF10DFA4D895AEEB7B9FF08314F10816AE915A7251EB34AA458FA0

Function 008520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00852183
GetMenuItemCount.USER32(00000000), ref: 008521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008521DD
_wcslen.LIBCMT ref: 00852213
GetMenuItemID.USER32(?,?), ref: 0085224D
GetSubMenu.USER32(?,?), ref: 0085225B

Part of subcall function 00823A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00823A57
Part of subcall function 00823A3D: GetCurrentThreadId.KERNEL32 ref: 00823A5E
Part of subcall function 00823A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008225B3), ref: 00823A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008522E3

Part of subcall function 0082E97B: Sleep.KERNEL32 ref: 0082E9F3

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 8f83a655c8424d2ce92c5e62cb49309db9ec2f7e081d1e7b96b16aadb14d6eb1
Instruction ID: e1be0b351cda687cc9927434cd9ff54796521a583a9b2ed18cf335b4c6d9744d
Opcode Fuzzy Hash: 8f83a655c8424d2ce92c5e62cb49309db9ec2f7e081d1e7b96b16aadb14d6eb1
Instruction Fuzzy Hash: 0B718E75A00215EFCB10DF68C885AAEB7F1FF49311F148499E816EB351DB38AE458F90

Function 00857E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01345528), ref: 00857F37
IsWindowEnabled.USER32(01345528), ref: 00857F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0085801E
SendMessageW.USER32(01345528,000000B0,?,?), ref: 00858051
IsDlgButtonChecked.USER32(?,?), ref: 00858089
GetWindowLongW.USER32(01345528,000000EC), ref: 008580AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008580C3

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 458e630bda4bbcd48719478298b43ca51a210144c485437a395dca7ea07d4bea
Instruction ID: 9080c0823951ef37beaf0ed9a1e7050515132b684ff1dc68716b29bda6c2ac8a
Opcode Fuzzy Hash: 458e630bda4bbcd48719478298b43ca51a210144c485437a395dca7ea07d4bea
Instruction Fuzzy Hash: E5718C34608204EFEF21DF64D884FAABBB5FF09302F14845AED45E72A1CB31A949CB10

Function 0082AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0082AEF9
GetKeyboardState.USER32(?), ref: 0082AF0E
SetKeyboardState.USER32(?), ref: 0082AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0082AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0082AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0082AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0082B020

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e01d214a18312f96e23d9ba32c685ca4c431f7e567ce949b479f634b164d66da
Instruction ID: f2ab9d4218a2f0ad9c03138c5f79e4d342d687dc55fba7224f845ddc7176608a
Opcode Fuzzy Hash: e01d214a18312f96e23d9ba32c685ca4c431f7e567ce949b479f634b164d66da
Instruction Fuzzy Hash: C951B1A06047E53EFB3A42349945BBA7FE9FF06304F088489E1E5D54C2D7A9ACC4D752

Function 0082ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0082AD19
GetKeyboardState.USER32(?), ref: 0082AD2E
SetKeyboardState.USER32(?), ref: 0082AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0082ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0082ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0082AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0082AE38

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 74eaa447a0190d3c1cdf5af005973c15388e4a6c4e1809911fad57c039cf142f
Instruction ID: 8cedbc0c71b72bd2621151c3c16dcbd37962b288b772d8334de72e347d4d7c45
Opcode Fuzzy Hash: 74eaa447a0190d3c1cdf5af005973c15388e4a6c4e1809911fad57c039cf142f
Instruction Fuzzy Hash: 2A51D3A15047E53EFB3A82249C95B7ABEE8FF46300F088489E1D5D68C2D294ECC9D752

Function 007F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00803CD6,?,?,?,?,?,?,?,?,007F5BA3,?,?,00803CD6,?,?), ref: 007F5470
__fassign.LIBCMT ref: 007F54EB
__fassign.LIBCMT ref: 007F5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00803CD6,00000005,00000000,00000000), ref: 007F552C
WriteFile.KERNEL32(?,00803CD6,00000000,007F5BA3,00000000,?,?,?,?,?,?,?,?,?,007F5BA3,?), ref: 007F554B
WriteFile.KERNEL32(?,?,00000001,007F5BA3,00000000,?,?,?,?,?,?,?,?,?,007F5BA3,?), ref: 007F5584

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b72c8d1d5839da68faed5349454b5471767cc965807d32cdc4979730b5d5e446
Instruction ID: 8532078c2fd2b5b38892178fcf37f877d779258e6778e88addb82ca513a94113
Opcode Fuzzy Hash: b72c8d1d5839da68faed5349454b5471767cc965807d32cdc4979730b5d5e446
Instruction Fuzzy Hash: 52519F71A006499FDB10CFA8D845AEEBBFAEF09300F14411AE655E7391E634AA51CB60

Function 008410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0084304E: inet_addr.WSOCK32(?), ref: 0084307A
Part of subcall function 0084304E: _wcslen.LIBCMT ref: 0084309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00841112
WSAGetLastError.WSOCK32 ref: 00841121
WSAGetLastError.WSOCK32 ref: 008411C9
closesocket.WSOCK32(00000000), ref: 008411F9

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 62a47c7d1431d029e73532b005952d7f92769cb7eb344e57a56dd93dfaaf57ae
Instruction ID: 554d4639b1706e12f6e5c2f3d32779a1eaee9752efc4d98230802471bbdc4bbd
Opcode Fuzzy Hash: 62a47c7d1431d029e73532b005952d7f92769cb7eb344e57a56dd93dfaaf57ae
Instruction Fuzzy Hash: 5A41D431600208AFDF109F24C889BA9BBE9FF45369F148059F919DB291D774ED81CFA1

Function 0082CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0082CF22,?), ref: 0082DDFD

Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0082CF22,?), ref: 0082DE16

lstrcmpiW.KERNEL32(?,?), ref: 0082CF45
MoveFileW.KERNEL32(?,?), ref: 0082CF7F
_wcslen.LIBCMT ref: 0082D005
_wcslen.LIBCMT ref: 0082D01B
SHFileOperationW.SHELL32(?), ref: 0082D061

Strings

\*.*, xrefs: 0082CFF3

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 2463bae54e259a78e0a37b522192157bfddf505f328cc4ee61113ec497664020
Instruction ID: da0c43342e0f4787e4395c3a453c37198e2cc1ab345bc73e0e74f3883c19175b
Opcode Fuzzy Hash: 2463bae54e259a78e0a37b522192157bfddf505f328cc4ee61113ec497664020
Instruction Fuzzy Hash: B84155719452299FDF12EBA4DA85EEDB7B8FF08340F1000E6E545EB142EF74A684CB51

Function 00852DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00852E1C
GetWindowLongW.USER32(?,000000F0), ref: 00852E4F
GetWindowLongW.USER32(?,000000F0), ref: 00852E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00852EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00852EE0
GetWindowLongW.USER32(?,000000F0), ref: 00852EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00852F0B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a164dac699f67fb3d9715358ad526d03c0ab5ad91ce94326c2518688dced6dee
Instruction ID: 2d4f55938f6f6c95453e3dda2d76ab442f5f7f0100582a95d38f22c8cbea5dd2
Opcode Fuzzy Hash: a164dac699f67fb3d9715358ad526d03c0ab5ad91ce94326c2518688dced6dee
Instruction Fuzzy Hash: 2D31F230604255AFDB21DF58EC8AF653BE1FB9A712F5901A5F901CB2B2CB71B8449B41

Function 00827726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00827769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082778F
SysAllocString.OLEAUT32(00000000), ref: 00827792
SysAllocString.OLEAUT32(?), ref: 008277B0
SysFreeString.OLEAUT32(?), ref: 008277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008277DE
SysAllocString.OLEAUT32(?), ref: 008277EC

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7e2361ca86f1ef9acde8e3666c64a88dfa42accddcff8f78c49f587ee61152bd
Instruction ID: e4fba6bcbcef34ad428fdebeb9315c039c077e5dccea0f0951a0599ff386c2d7
Opcode Fuzzy Hash: 7e2361ca86f1ef9acde8e3666c64a88dfa42accddcff8f78c49f587ee61152bd
Instruction Fuzzy Hash: 22219076604329AFDB10DFA9DC88CBB77ACFB097647448025FA15DB290D674DC818B64

Function 008277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00827842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00827868
SysAllocString.OLEAUT32(00000000), ref: 0082786B
SysAllocString.OLEAUT32 ref: 0082788C
SysFreeString.OLEAUT32 ref: 00827895
StringFromGUID2.OLE32(?,?,00000028), ref: 008278AF
SysAllocString.OLEAUT32(?), ref: 008278BD

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d0a0ca88b4b4d1ef7382b6b0c373ffa6ea99e80cf996bb878e0ac1dcb76bdd54
Instruction ID: 6901ff76b9e1789b2c63dadbfe0ff5a2c9eec77c3a76f7154cfead02d2a552a3
Opcode Fuzzy Hash: d0a0ca88b4b4d1ef7382b6b0c373ffa6ea99e80cf996bb878e0ac1dcb76bdd54
Instruction Fuzzy Hash: BD217435604228AFDB109FA9DC8CDAA77ECFB097607508135F915CB2A1D674DC81CB68

Function 008304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0083052E

Strings

nul, xrefs: 00830567

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d2087d3a9427f597210d993f0db6f3b81ac8c2bbd96141c652ad79b475deb977
Instruction ID: e163939e10db7e051b5effb09a5c1821cc7a90caa99a1c5c10fcc616432454fa
Opcode Fuzzy Hash: d2087d3a9427f597210d993f0db6f3b81ac8c2bbd96141c652ad79b475deb977
Instruction Fuzzy Hash: 3B214C75500309AFDF209F69DC54A9A7BB4FF84725F204A19F8A1E72E0E7709950CFA0

Function 008305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00830601

Strings

nul, xrefs: 00830639

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 18cc0819998b71c8a7b8909f290441e183b41c507ef1422241ed23ca4eccd62d
Instruction ID: 39853d01765f1aafac110bde4f354ea7b000bfff32f68dc8217a59583dd548df
Opcode Fuzzy Hash: 18cc0819998b71c8a7b8909f290441e183b41c507ef1422241ed23ca4eccd62d
Instruction Fuzzy Hash: 332195755003059FDB209F69CC15A9A77E8FFE5B25F200A19F8A1E72D4E7709860CF90

Function 008540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007C604C
Part of subcall function 007C600E: GetStockObject.GDI32(00000011), ref: 007C6060
Part of subcall function 007C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007C606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00854112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0085411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0085412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00854139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00854145

Strings

Msctls_Progress32, xrefs: 008540E3

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0443d26079f5f24e42d7c802f38c4aed6b1e76811dba5c03a45f5cabecdc6a0f
Instruction ID: 1b8eb47718b7362f9d49c91e44d1afd5e88808585149b9dced74be19a6ccf51d
Opcode Fuzzy Hash: 0443d26079f5f24e42d7c802f38c4aed6b1e76811dba5c03a45f5cabecdc6a0f
Instruction Fuzzy Hash: BD1190B218021DBEEF119E64CC85EE77FADFF18798F105111BA18E2190C6769C619BA4

Function 007FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007FD7A3: _free.LIBCMT ref: 007FD7CC

_free.LIBCMT ref: 007FD82D

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007FD838
_free.LIBCMT ref: 007FD843
_free.LIBCMT ref: 007FD897
_free.LIBCMT ref: 007FD8A2
_free.LIBCMT ref: 007FD8AD
_free.LIBCMT ref: 007FD8B8

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 8956c552c3231eaeca6cd31189136c557aecdf09ecc86ff17c0af1eb67743721
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 3811D07158170CEAD531FFB0CC4BFEB7BDD6F05700F404815B399AA6A2D669B9054A60

Function 0082DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0082DA74
LoadStringW.USER32(00000000), ref: 0082DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0082DA91
LoadStringW.USER32(00000000), ref: 0082DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0082DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0082DAB9

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a943e74e9cd9758b72e2b4fd4559bd38a2cc5c2f25927f4a9e0040bdcb8c8a41
Instruction ID: 911b50cd9b55a526dcc1e754163492e4b9f128b59d2b195dce1b40862b0d9a8a
Opcode Fuzzy Hash: a943e74e9cd9758b72e2b4fd4559bd38a2cc5c2f25927f4a9e0040bdcb8c8a41
Instruction Fuzzy Hash: 3F0162F25003187FE710ABE49D89EEB376CF708306F404495B746E2041EA789E848F74

Function 0083096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0133D1E0,0133D1E0), ref: 0083097B
EnterCriticalSection.KERNEL32(0133D1C0,00000000), ref: 0083098D
TerminateThread.KERNEL32(?,000001F6), ref: 0083099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008309A9
CloseHandle.KERNEL32(?), ref: 008309B8
InterlockedExchange.KERNEL32(0133D1E0,000001F6), ref: 008309C8
LeaveCriticalSection.KERNEL32(0133D1C0), ref: 008309CF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 64072677c92868a2ad7608ed1a067b0fee388a7d3624dc176e23028ab899c9bf
Instruction ID: de54cd6122c0304fce091d4ca059bd18da45b45bc087406504ae3a5680c0b80f
Opcode Fuzzy Hash: 64072677c92868a2ad7608ed1a067b0fee388a7d3624dc176e23028ab899c9bf
Instruction Fuzzy Hash: 08F0C932442B12AFD7515BA4EE89BDABA69FF45703F802025F202948A1CB7994A5CF91

Function 007C5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 007C5D30
GetWindowRect.USER32(?,?), ref: 007C5D71
ScreenToClient.USER32(?,?), ref: 007C5D99
GetClientRect.USER32(?,?), ref: 007C5ED7
GetWindowRect.USER32(?,?), ref: 007C5EF8

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 6b0633d66ba4efcbdbd017e14ec76644f7145fe568418c2286e691b47ed0520d
Instruction ID: 271895621ad5fa9abeff797ad1726d9ebbf2c521804b77f604c24ad82d709fa3
Opcode Fuzzy Hash: 6b0633d66ba4efcbdbd017e14ec76644f7145fe568418c2286e691b47ed0520d
Instruction Fuzzy Hash: 08B16C74A0074ADBDB14CFA9C880BEAB7F1FF54310F14951EE8A9D7290DB34AA91DB50

Function 007F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007F00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F00D6
__allrem.LIBCMT ref: 007F00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F010B
__allrem.LIBCMT ref: 007F0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F0140

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: ed8eba516debf7e20e25c71bd34530234b0fa90510db3706a9678172983557d1
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 19810772601B0ADBEB209F69CC45B7E73E9EF45724F24453AF611D6782EB78D9008790

Function 00841D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00843149: select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00843195

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00841DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00841DE1
WSAGetLastError.WSOCK32 ref: 00841DF2
inet_ntoa.WSOCK32(?), ref: 00841E8C
htons.WSOCK32(?), ref: 00841EDB
_strlen.LIBCMT ref: 00841F35

Part of subcall function 008239E8: _strlen.LIBCMT ref: 008239F2

Part of subcall function 007C6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,007DCF58,?,?,?), ref: 007C6DBA
Part of subcall function 007C6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,007DCF58,?,?,?), ref: 007C6DED

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 7d014923094c1e35a6105f0bc1ce32ac637b0e1e3c22fb15e88bfb09e3639602
Instruction ID: 05be8247832c449699425b212ea4eff81147d95365b0ba02cb15211a66ed909d
Opcode Fuzzy Hash: 7d014923094c1e35a6105f0bc1ce32ac637b0e1e3c22fb15e88bfb09e3639602
Instruction Fuzzy Hash: 6EA1CF31204344AFC724DB24C889F2ABBA5FF84318F54895CF4569B2A2CB35ED86CB91

Function 007F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007E82D9,007E82D9,?,?,?,007F644F,00000001,00000001,8BE85006), ref: 007F6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,007F644F,00000001,00000001,8BE85006,?,?,?), ref: 007F62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007F63D8
__freea.LIBCMT ref: 007F63E5

Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852

__freea.LIBCMT ref: 007F63EE
__freea.LIBCMT ref: 007F6413

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: eaaf6021a9a93cb59f66526b31929e39d02f2097c901a8d9bbb63a21ad703f57
Instruction ID: 6715f12537c7d57216114b8bdac2c7034369b8e75b393cbb4050d110aff48719
Opcode Fuzzy Hash: eaaf6021a9a93cb59f66526b31929e39d02f2097c901a8d9bbb63a21ad703f57
Instruction Fuzzy Hash: C051F072A0021AAFEB258F64CC85EBF77AAEF54750F154229FE05D7240EB38DC44D6A1

Function 0084BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0084BD25
RegCloseKey.ADVAPI32(00000000), ref: 0084BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0084BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0084BDF3
RegCloseKey.ADVAPI32(?), ref: 0084BDFF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 2f7588bff48813908f0766c2877dd8ecd6d6dab26b07a618605e0c53948f4b9a
Instruction ID: f988809f679c0635ead9d6dbef5c888ea947a191ae3485fdf042b5734f62e7d5
Opcode Fuzzy Hash: 2f7588bff48813908f0766c2877dd8ecd6d6dab26b07a618605e0c53948f4b9a
Instruction Fuzzy Hash: BE817B30208245EFD714DF24C895E2ABBE5FF84308F14899CF5598B2A2DB36ED45CB92

Function 0081F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0081F7B9
SysAllocString.OLEAUT32(00000001), ref: 0081F860
VariantCopy.OLEAUT32(0081FA64,00000000), ref: 0081F889
VariantClear.OLEAUT32(0081FA64), ref: 0081F8AD
VariantCopy.OLEAUT32(0081FA64,00000000), ref: 0081F8B1
VariantClear.OLEAUT32(?), ref: 0081F8BB

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 4ceeeca25f762584362b3ba9dd50b01425d8606a5d1d04193dcf8f786b21fd53
Instruction ID: 73e8122d6cefbca35046737789ff8a7271073ac84d1546510e992fca1a098e53
Opcode Fuzzy Hash: 4ceeeca25f762584362b3ba9dd50b01425d8606a5d1d04193dcf8f786b21fd53
Instruction Fuzzy Hash: 4251D731600314FACF10AB65D895BA9B7ACFF45714F14446BEA06DF293DB748C80CB96

Function 0083910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008394E5
_wcslen.LIBCMT ref: 00839506
_wcslen.LIBCMT ref: 0083952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00839585

Strings

X, xrefs: 00839412

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 3e8e7bb5a9968820d5572075d7732a00a0caa5a88406680d040f9d3cef01d8dd
Instruction ID: 35e41e0421134ae870bef4a11cf93c82e201c3e807e16c8c31cef6d249249b5a
Opcode Fuzzy Hash: 3e8e7bb5a9968820d5572075d7732a00a0caa5a88406680d040f9d3cef01d8dd
Instruction Fuzzy Hash: 14E16B71608340DFC724EF24C885A6AB7E0FF84314F04896DE9999B3A2DB75ED45CB92

Function 007D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

BeginPaint.USER32(?,?,?), ref: 007D9241
GetWindowRect.USER32(?,?), ref: 007D92A5
ScreenToClient.USER32(?,?), ref: 007D92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007D92D3
EndPaint.USER32(?,?,?,?,?), ref: 007D9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008171EA

Part of subcall function 007D9339: BeginPath.GDI32(00000000), ref: 007D9357

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 1a00b00203fde40182a5236aafc9bae5ebbc3e0046e28ed1cfe3c0a8fff1b369
Instruction ID: d61d1f1d733c9b3c4b5939b8cd8995f0406f0e548fea6f3f3908935a97a6d993
Opcode Fuzzy Hash: 1a00b00203fde40182a5236aafc9bae5ebbc3e0046e28ed1cfe3c0a8fff1b369
Instruction Fuzzy Hash: 77418C70108301AFDB11EF24CC88FAA7BB8FF55721F14062AFA95D72A1C735A845DB61

Function 008307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0083080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00830847
EnterCriticalSection.KERNEL32(?), ref: 00830863
LeaveCriticalSection.KERNEL32(?), ref: 008308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00830921

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 2432746fe0629515a9f476d3423f8cdb8b367a7c0cf996d81f844a066d75c5b6
Instruction ID: d1e5b2c28ffabfba200ff7a1fac268246939e6d7570037f0eaf032b299d6da22
Opcode Fuzzy Hash: 2432746fe0629515a9f476d3423f8cdb8b367a7c0cf996d81f844a066d75c5b6
Instruction Fuzzy Hash: 0A415771900205EFDF14AF64DC85A6ABBB9FF44300F1440A9ED05EA296DB34DE64DFA0

Function 008581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0081F3AB,00000000,?,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 0085824C
EnableWindow.USER32(?,00000000), ref: 00858272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008582D1
ShowWindow.USER32(?,00000004), ref: 008582E5
EnableWindow.USER32(?,00000001), ref: 0085830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0085832F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 938831d43b666dd30ccaaff32535fc2e85cf5160df0e072278d960e8e884d25f
Instruction ID: 2c6d77b5c18af4ec93a42cd992b7f24bb18de8c1c3a2baade0a7be2ee50a7b6c
Opcode Fuzzy Hash: 938831d43b666dd30ccaaff32535fc2e85cf5160df0e072278d960e8e884d25f
Instruction Fuzzy Hash: F5418234601645EFDF12DF25C899BE47FE1FB0A716F18416AE908DB262CB31A849CF50

Function 00824C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00824C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00824CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00824CEA
_wcslen.LIBCMT ref: 00824D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00824D10
_wcsstr.LIBVCRUNTIME ref: 00824D1A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 7f660cc4f8a8dd249280fd3808893121ccda82247d26d734ac3f97617daeeb9b
Instruction ID: dd28442d4a90dabbddc1ca86ba346355c9f8b34949571d950fc34e65d50abc23
Opcode Fuzzy Hash: 7f660cc4f8a8dd249280fd3808893121ccda82247d26d734ac3f97617daeeb9b
Instruction Fuzzy Hash: AA212931204214BBEB155B39FC09E7B7BECEF45750F10507EF805CA192EA65DD4086B0

Function 0083581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2

_wcslen.LIBCMT ref: 0083587B
CoInitialize.OLE32(00000000), ref: 00835995
CoCreateInstance.OLE32(0085FCF8,00000000,00000001,0085FB68,?), ref: 008359AE
CoUninitialize.OLE32 ref: 008359CC

Strings

.lnk, xrefs: 00835876, 008358C1, 00835985

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 05ba5da93f7d29b88756fbe5dca0d05eeae494bc12a93b99eeade28db4949847
Instruction ID: 01a7f1d309e52f12d0c1413fbf2e2a980b2261b0060e33a89e1d5fed89286de3
Opcode Fuzzy Hash: 05ba5da93f7d29b88756fbe5dca0d05eeae494bc12a93b99eeade28db4949847
Instruction Fuzzy Hash: 98D14E71608601DFC714EF24C488A2ABBE1FF89724F14885DF88A9B361DB35ED45CB92

Function 0082175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00820FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00820FCA
Part of subcall function 00820FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00820FD6
Part of subcall function 00820FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00820FE5
Part of subcall function 00820FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00820FEC
Part of subcall function 00820FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00821002

GetLengthSid.ADVAPI32(?,00000000,00821335), ref: 008217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008217BA
HeapAlloc.KERNEL32(00000000), ref: 008217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008217DA
GetProcessHeap.KERNEL32(00000000,00000000,00821335), ref: 008217EE
HeapFree.KERNEL32(00000000), ref: 008217F5

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 4320e387720e33bc5b4c77b4b4483f94086a1f4618c6520ad38e43c2bd2ccd93
Instruction ID: d6467e739118b6ca63200cc2b02f3d3322db7a341f4ef359ff5ff37d47d40001
Opcode Fuzzy Hash: 4320e387720e33bc5b4c77b4b4483f94086a1f4618c6520ad38e43c2bd2ccd93
Instruction Fuzzy Hash: 4B11AC31500715EFDF109FA4EC49BAE7BA9FB95356F204018F441D7255C739A984CF60

Function 008214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00821506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00821515
CloseHandle.KERNEL32(00000004), ref: 00821520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0082154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00821563

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 5451372b3118de1686bd800bab08465259aed05bf198d302f985ff9cabc0125f
Instruction ID: c351abba588df93283ff7ce8143043d5209ab53554e2641ff34bd23c3dc7500b
Opcode Fuzzy Hash: 5451372b3118de1686bd800bab08465259aed05bf198d302f985ff9cabc0125f
Instruction Fuzzy Hash: 9D11597250030DAFDF118F98EE49BDE7BA9FF48705F144055FA05A2160C3758EA0DB60

Function 007E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007E3379,007E2FE5), ref: 007E3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007E339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007E33B7
SetLastError.KERNEL32(00000000,?,007E3379,007E2FE5), ref: 007E3409

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: aafe719be724d4934610f40f43e2347e0af77a6e86e0bb55bd32e98de29b5118
Instruction ID: 0923b255494b954ba284a6af4be40a9ddf77b9f07f01be8fd864d7fb989e0aef
Opcode Fuzzy Hash: aafe719be724d4934610f40f43e2347e0af77a6e86e0bb55bd32e98de29b5118
Instruction Fuzzy Hash: 1501283220B791FFE726277B7C8D9662A94FB0D3B97300229F410872F1EF694D015664

Function 007F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007F5686,00803CD6,?,00000000,?,007F5B6A,?,?,?,?,?,007EE6D1,?,00888A48), ref: 007F2D78
_free.LIBCMT ref: 007F2DAB
_free.LIBCMT ref: 007F2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,007EE6D1,?,00888A48,00000010,007C4F4A,?,?,00000000,00803CD6), ref: 007F2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,007EE6D1,?,00888A48,00000010,007C4F4A,?,?,00000000,00803CD6), ref: 007F2DEC
_abort.LIBCMT ref: 007F2DF2

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ead0eee29d09d5c23412eaf488f25a5dd64770d27fe581720f7d7401af74b1d2
Instruction ID: 96f3c6fbfbfef75f8e063bb7463c08bfe3b580a4776a3f79dc01745f4bab69a3
Opcode Fuzzy Hash: ead0eee29d09d5c23412eaf488f25a5dd64770d27fe581720f7d7401af74b1d2
Instruction Fuzzy Hash: 81F0F435645B0CBBC2122738BC0EA7A2559BFC17A1B240118FB24D23A3EE2C88034561

Function 00858A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 007D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D9693
Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96A2
Part of subcall function 007D9639: BeginPath.GDI32(?), ref: 007D96B9
Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00858A4E
LineTo.GDI32(?,00000003,00000000), ref: 00858A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00858A70
LineTo.GDI32(?,00000000,00000003), ref: 00858A80
EndPath.GDI32(?), ref: 00858A90
StrokePath.GDI32(?), ref: 00858AA0

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2dcadd2afac4907f25f17f2155131f1d0b6e9805fbc3e54ddfedf4cdfe6ffcf4
Instruction ID: aef8c4a85c7e9390fee8d5e6de8eb9e53577ec1c876375995974dcea18daed1f
Opcode Fuzzy Hash: 2dcadd2afac4907f25f17f2155131f1d0b6e9805fbc3e54ddfedf4cdfe6ffcf4
Instruction Fuzzy Hash: 77110976000219FFDF129F90DC88EAA7F6DFB08391F048012FA199A1A1C7729D55DFA0

Function 008251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00825218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00825229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00825230
ReleaseDC.USER32(00000000,00000000), ref: 00825238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0082524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00825261

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 2a97616122b8baf5d1e1747bcb59c5199779ff1a0acce04ff68c77024f1ca849
Instruction ID: ffb38f04313ebeffced521fd80cd5bf6cac6b91875ea4586286f1811b7b8eec4
Opcode Fuzzy Hash: 2a97616122b8baf5d1e1747bcb59c5199779ff1a0acce04ff68c77024f1ca849
Instruction Fuzzy Hash: 09014F75A40718BFEB109BA69C49E5EBFB8FF48752F044065FA04E7281DA749900CFA0

Function 007C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007C1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 007C1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007C1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007C1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 007C1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 007C1C22

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: dbcbe7ff841e91a5b37935c495e649e591fd34ea1319ecc12088192f330202e7
Instruction ID: 246239c133a2435621cac8e372caf596f171679365a37f04dd9651d48404ebb1
Opcode Fuzzy Hash: dbcbe7ff841e91a5b37935c495e649e591fd34ea1319ecc12088192f330202e7
Instruction Fuzzy Hash: 980144B0902B5ABDE3008F6A8C85A52FEA8FF19354F00411BA15C4BA42C7B5A864CBE5

Function 0082EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0082EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0082EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0082EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0082EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0082EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0082EB75

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9baac0b712e47b49fd89a8e42dd11749470cb27b7fa543a695878befbaafd31e
Instruction ID: 80becd73c53bfe9a63cd898acf7954af3b4648e0219fa92bbbc42e97fceb4c9c
Opcode Fuzzy Hash: 9baac0b712e47b49fd89a8e42dd11749470cb27b7fa543a695878befbaafd31e
Instruction Fuzzy Hash: 29F01D72140758BFE6215B529C0DEEB7EBCFBCAB12F000159F601D119196A45A418AB5

Function 00817439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00817452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00817469
GetWindowDC.USER32(?), ref: 00817475
GetPixel.GDI32(00000000,?,?), ref: 00817484
ReleaseDC.USER32(?,00000000), ref: 00817496
GetSysColor.USER32(00000005), ref: 008174B0

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 6e24b8aaa6f16bb1da52d5f03d42de1a1c5120babb56ccd3e4effea8a17485b8
Instruction ID: b62b6cf5711cee6371131b2645bdd25bc28d526d32efd9f29cf866c5553c1873
Opcode Fuzzy Hash: 6e24b8aaa6f16bb1da52d5f03d42de1a1c5120babb56ccd3e4effea8a17485b8
Instruction Fuzzy Hash: 4A012431404315EFEB515FA4DC48BEA7BBAFF04322F650168FA16A21A1CB391E91EF50

Function 00821874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0082187F
UnloadUserProfile.USERENV(?,?), ref: 0082188B
CloseHandle.KERNEL32(?), ref: 00821894
CloseHandle.KERNEL32(?), ref: 0082189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008218A5
HeapFree.KERNEL32(00000000), ref: 008218AC

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6f8fdc14ca60018c1ee99ba8199211915442a9eabac216039539bddc0b275cd2
Instruction ID: ed697d00b4ccd78f69ababa5262be49e41ad9417f1c5cd0380e70bdb782557e0
Opcode Fuzzy Hash: 6f8fdc14ca60018c1ee99ba8199211915442a9eabac216039539bddc0b275cd2
Instruction Fuzzy Hash: C9E0C236044705BFDA015BA5ED0C94ABB69FB49B22B908220F22681570CB36A4A0DF50

Function 0082C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0082C6EE
_wcslen.LIBCMT ref: 0082C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0082C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0082C7CA

Strings

0, xrefs: 0082C6AF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 5a893e7e9a3dcdbe0fc2773cba8e3e95c8b5a96394df63291c725c71d6bbe1a0
Instruction ID: b839aa9af4c6bd609105afce6772574700fabd64a9b0d53a051eabd899cf5d6b
Opcode Fuzzy Hash: 5a893e7e9a3dcdbe0fc2773cba8e3e95c8b5a96394df63291c725c71d6bbe1a0
Instruction Fuzzy Hash: 4251BD716043219FD714AF28E889B7E77E8FF49314F040A2DF996E32A0DB64D984CB52

Function 0084AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0084AEA3

Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625

GetProcessId.KERNEL32(00000000), ref: 0084AF38
CloseHandle.KERNEL32(00000000), ref: 0084AF67

Strings

<, xrefs: 0084AE6B
@, xrefs: 0084AE72

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: b8127a2d6283a4595f5fe566ba6976bec69407018df881e7cf491ca8d7a27a85
Instruction ID: 3d34a2c1e2d2c2cf2aae71a14285f540646f7546056359036c5d68317de7604a
Opcode Fuzzy Hash: b8127a2d6283a4595f5fe566ba6976bec69407018df881e7cf491ca8d7a27a85
Instruction Fuzzy Hash: 94712375A00619DFCB18DF54D488A9EBBB4FF08314F04849DE856AB3A2CB78ED45CB91

Function 0082719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00827206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0082723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0082724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008272CF

Strings

DllGetClassObject, xrefs: 00827242

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a7da78526891eddc245bd08a671a5b34b71731706634acfdcb6c91c91d81f32c
Instruction ID: dafed3950d79ed56f134074dc00c429f134a201e7ccec8a677c2bf8d6f4c6948
Opcode Fuzzy Hash: a7da78526891eddc245bd08a671a5b34b71731706634acfdcb6c91c91d81f32c
Instruction Fuzzy Hash: 35418CB1A04214EFDB15CF55D884A9A7BA9FF44314F1480ADFD06DF20AD7B4D984CBA0

Function 00853D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00853E35
IsMenu.USER32(?), ref: 00853E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00853E92
DrawMenuBar.USER32 ref: 00853EA5

Strings

0, xrefs: 00853D89

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: e89575ecce07ae75ed0abead28bafc9d4bd5a165bc0cc8f3b2cf9e3cba647563
Instruction ID: ba03248175ac3acc6da7af7139b1069a50393dc8156ec224c827a341ef15ac4b
Opcode Fuzzy Hash: e89575ecce07ae75ed0abead28bafc9d4bd5a165bc0cc8f3b2cf9e3cba647563
Instruction Fuzzy Hash: 09414675A01209EFDB10DF90D889AAABBF9FF48396F044129ED05A7650D734AE49CF60

Function 00821DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00821E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00821E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00821EA9

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

Strings

ListBox, xrefs: 00821E25
ComboBox, xrefs: 00821DF0

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 59a60b35617580bb8ccaa5295a0dfd7063c4e6e5eb42caca373da6e4e5f57155
Instruction ID: 8aef3db14526e634adcd5a60c66c0cd8de73b256097eb29cde560c865018b5ab
Opcode Fuzzy Hash: 59a60b35617580bb8ccaa5295a0dfd7063c4e6e5eb42caca373da6e4e5f57155
Instruction Fuzzy Hash: EA21E475A00204AEDB14AB64EC5DDFFB7B9FF65350B20412DF825E72E1DB384E498A20

Function 0084C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0084C9F1
_wcslen.LIBCMT ref: 0084CA68
_wcslen.LIBCMT ref: 0084CA9E
_wcslen.LIBCMT ref: 0084CAF9
_wcslen.LIBCMT ref: 0084CB2F
_wcslen.LIBCMT ref: 0084CB7F

Strings

HKLM, xrefs: 0084CA98, 0084CA9D
HKEY_LOCAL_MACHINE, xrefs: 0084CA62, 0084CA67

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 62a14fcc1e404a21ad8cbe62e2a60043049a88a799e51877a60e1a6cccc1254a
Instruction ID: 82c75f9aac9d37e3def69e193727724589c81d2cb2761a3e99a7522661f8c40c
Opcode Fuzzy Hash: 62a14fcc1e404a21ad8cbe62e2a60043049a88a799e51877a60e1a6cccc1254a
Instruction Fuzzy Hash: DD3128B3A0217E8BCB60EF6D88445BE33AAFBA1750B154029E851EB345FA75CD44D3A0

Function 00852F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00852F8D
LoadLibraryW.KERNEL32(?), ref: 00852F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00852FA9
DestroyWindow.USER32(?), ref: 00852FB1

Strings

SysAnimate32, xrefs: 00852F68

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 2856b21e2b850bce291ea94f95510b88a47f0b8abdada190a61af1a352be1818
Instruction ID: 700c6373995f7a604c8979fbfa59a1e4cacb082810117871b227d161095b8f7f
Opcode Fuzzy Hash: 2856b21e2b850bce291ea94f95510b88a47f0b8abdada190a61af1a352be1818
Instruction Fuzzy Hash: 67218872204209ABEB205F64AC84EBB37B9FB5A366F100228FD50E6190DF71DC959B60

Function 007E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,007E4D1E,007F28E9,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002), ref: 007E4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007E4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,007E4D1E,007F28E9,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002,00000000), ref: 007E4DC3

Strings

CorExitProcess, xrefs: 007E4D98
mscoree.dll, xrefs: 007E4D86

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 94f42eb307fa197bc71cf7ee6ab79edaf17b53c291ff795cfa76e45032451cbb
Instruction ID: 5eab3dc45105511779dacae85799ceeb41043b155020d08b0f980085e18e742c
Opcode Fuzzy Hash: 94f42eb307fa197bc71cf7ee6ab79edaf17b53c291ff795cfa76e45032451cbb
Instruction Fuzzy Hash: DFF03C34A41308BFDB119F95DC49BAEBBA5FB48752F0000A4A905A6260CB795940CF94

Function 0081D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0081D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0081D3BF
FreeLibrary.KERNEL32(00000000), ref: 0081D3E5

Strings

X64, xrefs: 0081D2A8
GetSystemWow64DirectoryW, xrefs: 0081D3B9

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 9aefed68fdd35fddbd1797ec64177a1b07e4ca42d7a95861b4a249b8996514bc
Instruction ID: 9e03b24b36164ccf41b693dab37765c7b542682c2c99731ac73739f200054e59
Opcode Fuzzy Hash: 9aefed68fdd35fddbd1797ec64177a1b07e4ca42d7a95861b4a249b8996514bc
Instruction Fuzzy Hash: F4F020B0845B218FCB7527208C88BEA332CFF11706B548056F822E2204EB78CCC48A92

Function 007C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007C4EAE
FreeLibrary.KERNEL32(00000000,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 007C4EA8
kernel32.dll, xrefs: 007C4E94

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 3a6901525f8551db5cc390adf1132ba30655313dc4f3bfdf41d1b953679c8bd1
Instruction ID: 0180438e53a295bcdb23e3c864451ac7b716d31d007c89b866b38b44a819bd33
Opcode Fuzzy Hash: 3a6901525f8551db5cc390adf1132ba30655313dc4f3bfdf41d1b953679c8bd1
Instruction Fuzzy Hash: 82E08C36A42B226F92322B25AC28F6B7758BF81F63B06011DFC00E2200DB6CCD0189A1

Function 007C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007C4E74
FreeLibrary.KERNEL32(00000000,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 007C4E6E
kernel32.dll, xrefs: 007C4E5B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c5d2c762857d98098f18a95410e15c92e0279e9ed8e5b8a82b2b5beb340c2c58
Instruction ID: 6a58f582c8fbbc271a76b764b192986f5cc580a8ab61cd195e27b5bda36fdff3
Opcode Fuzzy Hash: c5d2c762857d98098f18a95410e15c92e0279e9ed8e5b8a82b2b5beb340c2c58
Instruction Fuzzy Hash: 6DD01235542B615B56221B297C28E8B7B19FF85F62306051DBD05E2215CF6CCD01CAD0

Function 00832947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00832C05
DeleteFileW.KERNEL32(?), ref: 00832C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00832C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00832CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00832CC0

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 9a3bc24eec818bf30a18ad3cce4322f1dcbf3ea0a9f95b7f2dace555d0b60afe
Instruction ID: 65a3f2db11f3e1cf95b1509a1e62df2288aa4bd2011effa981b589d52585c8cf
Opcode Fuzzy Hash: 9a3bc24eec818bf30a18ad3cce4322f1dcbf3ea0a9f95b7f2dace555d0b60afe
Instruction Fuzzy Hash: 8CB13071901119EBDF21EBA4CC89EDEB77DFF48350F1040AAF509E6151EA35AA448FA1

Function 0084A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0084A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0084A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0084A468
CloseHandle.KERNEL32(?), ref: 0084A63D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: e6f0f1bbaa08938fd2f1f43d5b3b556a3028376f1f02b3ed4d82690691624e83
Instruction ID: a165496444ab38ac5aadd734e97772b8cb717549b1b0d72639ff175e330b9823
Opcode Fuzzy Hash: e6f0f1bbaa08938fd2f1f43d5b3b556a3028376f1f02b3ed4d82690691624e83
Instruction Fuzzy Hash: A5A18C71644300AFD724DF24D886F2AB7E5EB88714F14885DF59ADB392DBB4EC418B82

Function 0082E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0082CF22,?), ref: 0082DDFD

Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0082CF22,?), ref: 0082DE16

Part of subcall function 0082E199: GetFileAttributesW.KERNEL32(?,0082CF95), ref: 0082E19A

lstrcmpiW.KERNEL32(?,?), ref: 0082E473
MoveFileW.KERNEL32(?,?), ref: 0082E4AC
_wcslen.LIBCMT ref: 0082E5EB
_wcslen.LIBCMT ref: 0082E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0082E650

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: d54dd183a97b3656b170c3ee45de45c815997cf8226ec77215b4f181a5de4462
Instruction ID: 4f4fbf2e2602a0c7717cef155ad2ba019bfd4525c5b30858794b72332d4d42f6
Opcode Fuzzy Hash: d54dd183a97b3656b170c3ee45de45c815997cf8226ec77215b4f181a5de4462
Instruction Fuzzy Hash: 185163B24087959BC724EB94DC859DFB3DCEF84340F40492EF689D3151EF74A588876A

Function 0084B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0084BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0084BB63
RegCloseKey.ADVAPI32(?,?), ref: 0084BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0084BBB3

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 6376b65f580723461e721cb34ba60c0bea5fba50d48516a23111035333cb7cae
Instruction ID: 6698f8772486a672c83b1ebd6f79e21d69370b4746a05896393e3d2245df9f7b
Opcode Fuzzy Hash: 6376b65f580723461e721cb34ba60c0bea5fba50d48516a23111035333cb7cae
Instruction Fuzzy Hash: E061AE31208245EFD714DF24C895E2ABBE5FF84318F14895CF4998B2A2DB35ED45CB92

Function 00828BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00828BCD
VariantClear.OLEAUT32 ref: 00828C3E
VariantClear.OLEAUT32 ref: 00828C9D
VariantClear.OLEAUT32(?), ref: 00828D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00828D3B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c22fff47b16a4003b207e863d9d578ed6f009878c319bdf0ffbf20b2f16a5957
Instruction ID: 1aa78ab92a93ed75bb40975a9d72e5bff6dbe6e35c0b4762806b6d2fc4c9bedd
Opcode Fuzzy Hash: c22fff47b16a4003b207e863d9d578ed6f009878c319bdf0ffbf20b2f16a5957
Instruction Fuzzy Hash: E65188B5A01219EFDB10CF68D884EAAB7F8FF89314B118559E909DB350E734E951CFA0

Function 00838AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00838BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00838BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00838C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00838C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00838C5F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6b8ae9bb46d8eee8f3898dbfa562b998fc3cc4116535f3e423911d507d0c0dc4
Instruction ID: 568ba8311af31cc400d7af912b04a6b00a9afbed80b3b0e41bdf1ecb21702514
Opcode Fuzzy Hash: 6b8ae9bb46d8eee8f3898dbfa562b998fc3cc4116535f3e423911d507d0c0dc4
Instruction Fuzzy Hash: E7510535A00215DFCB05DF64C885E69BBF5FF48314F088459E849AB362DB39ED51DB90

Function 00848EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00848F40
GetProcAddress.KERNEL32(00000000,?), ref: 00848FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00848FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00849032
FreeLibrary.KERNEL32(00000000), ref: 00849052

Part of subcall function 007DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00831043,?,753CE610), ref: 007DF6E6
Part of subcall function 007DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0081FA64,00000000,00000000,?,?,00831043,?,753CE610,?,0081FA64), ref: 007DF70D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: eb279ca31c8d671271ab012eb6556ce324ca57ec3db90dd5b63197321a70cd40
Instruction ID: 5becd9a1cbb0874eaddc89060dc2ca36eb3b778e715a3416e103641f3666c16f
Opcode Fuzzy Hash: eb279ca31c8d671271ab012eb6556ce324ca57ec3db90dd5b63197321a70cd40
Instruction Fuzzy Hash: CE511735600609DFC715DF68C498DADBBF1FF49314B0580A9E84A9B362DB35ED85CB90

Function 00856B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00856C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00856C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00856C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0083AB79,00000000,00000000), ref: 00856C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00856CC7

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 4b1fb35c5d4a7a0664b4f44005029fd13b97b7dc0af1cccb396fcf2bb0d0b559
Instruction ID: 2e83d2902cb20d625800660c7c5de9edcdd7cac45d5de2425569602ea22b26aa
Opcode Fuzzy Hash: 4b1fb35c5d4a7a0664b4f44005029fd13b97b7dc0af1cccb396fcf2bb0d0b559
Instruction Fuzzy Hash: 5041D635A04204AFDB24DF28CC59FA97FA5FB09365F940228FC95E72E0E371AD65CA40

Function 007F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007F20C3
_free.LIBCMT ref: 007F20E3

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3a4c1a8cd245ecc0b26260792068cada884d0b955ccc05ec1e1a8ddcc093ca5e
Instruction ID: d8ae56b6296fb84adb53279e384412e128ebe68d5254ccae692a6ad53e03112e
Opcode Fuzzy Hash: 3a4c1a8cd245ecc0b26260792068cada884d0b955ccc05ec1e1a8ddcc093ca5e
Instruction Fuzzy Hash: 0041F232A00208DFCB20DF78C884A6DB7F5EF89314F1545A9E615EB392DB35AD02CB90

Function 007D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007D9141
ScreenToClient.USER32(00000000,?), ref: 007D915E
GetAsyncKeyState.USER32(00000001), ref: 007D9183
GetAsyncKeyState.USER32(00000002), ref: 007D919D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 6a19b51430905938e80140157afd70bb052bc24f7a598f388f5eb5b0e482e03a
Instruction ID: 5adba376d4f3edb220890b28aa70aa4e889677c6fd7aa92f28901422ea0a5364
Opcode Fuzzy Hash: 6a19b51430905938e80140157afd70bb052bc24f7a598f388f5eb5b0e482e03a
Instruction Fuzzy Hash: 5641607190860AFBDF199F68C848BEEB775FF05324F20421AE525A3290D7356D94CF51

Function 00833874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00833922
TranslateMessage.USER32(?), ref: 0083394B
DispatchMessageW.USER32(?), ref: 00833955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00833966

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d6d43aeb55e94851ab491fdb28966b434f67d4d61d1640c98c1e2dd87479848a
Instruction ID: 433fae251bf93c34df21886206db8da64c00b6a4d7ce90a077012e00e9ee309d
Opcode Fuzzy Hash: d6d43aeb55e94851ab491fdb28966b434f67d4d61d1640c98c1e2dd87479848a
Instruction Fuzzy Hash: 34310670508346DFEF25DB34D809BB67FA8FB86304F08046AE862D25A0E3F49685DB91

Function 0083CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0083C21E,00000000), ref: 0083CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0083CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0083C21E,00000000), ref: 0083CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0083C21E,00000000), ref: 0083CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0083C21E,00000000), ref: 0083CFF2

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 3bab210b5c04832263a3b0eb51cb52b32dabec040bc307f5474f2766ea871e66
Instruction ID: 43d6b3dbdce73e584282f2b181642544464580551f0bdf31bcf71047d4ee2ee7
Opcode Fuzzy Hash: 3bab210b5c04832263a3b0eb51cb52b32dabec040bc307f5474f2766ea871e66
Instruction Fuzzy Hash: 99313A71600709EFDB20DFA5C8849AABBF9FB54355F10442EE506E2241DB74AE419BA0

Function 00821901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00821915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008219E2

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 482e5714fe81da1d791e86ea98de9b351047bee348a4c8c5de465cae182133a4
Instruction ID: 6003c4fcab7b3875b63584d6e356ab33dbd48247e44e398b5cba1a154ce39ea9
Opcode Fuzzy Hash: 482e5714fe81da1d791e86ea98de9b351047bee348a4c8c5de465cae182133a4
Instruction Fuzzy Hash: 60319C71A00229EFCB00CFA8D99DA9E7BB5FB14315F204229F921E72D1C7709A84CB90

Function 00855706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00855745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0085579D
_wcslen.LIBCMT ref: 008557AF
_wcslen.LIBCMT ref: 008557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00855816

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e81af5807344a4929e8ea26ed912c052deca3d92690b5f52520e54c7581a74c2
Instruction ID: 04758a8592c7ddba432d8f8bbfe16a9a1aa9ce52a40b5bb47db7bfdc97198de4
Opcode Fuzzy Hash: e81af5807344a4929e8ea26ed912c052deca3d92690b5f52520e54c7581a74c2
Instruction Fuzzy Hash: C721B671904618DBDB209FA0DC84AEE7BB9FF04326F108256FD29EB180D7749A89CF50

Function 007D990F Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007D98CC
SetTextColor.GDI32(?,?), ref: 007D98D6
SetBkMode.GDI32(?,00000001), ref: 007D98E9
GetStockObject.GDI32(00000005), ref: 007D98F1
GetWindowLongW.USER32(?,000000EB), ref: 007D9952

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 113f3c7c4175d095e63c7cca875cc2500082514d7c674bdcb800118874a6354b
Instruction ID: 6c3bd15fac99ba27b16da6a12ad5fe53bac310ac133d954ecc7888ff119c3c24
Opcode Fuzzy Hash: 113f3c7c4175d095e63c7cca875cc2500082514d7c674bdcb800118874a6354b
Instruction Fuzzy Hash: 5E21F6714453909FCB114F24ECA8BE53FB4AF67722F18418EE6D28B2A2D7396991DF10

Function 00840930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00840951
GetForegroundWindow.USER32 ref: 00840968
GetDC.USER32(00000000), ref: 008409A4
GetPixel.GDI32(00000000,?,00000003), ref: 008409B0
ReleaseDC.USER32(00000000,00000003), ref: 008409E8

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: ea7baf9b8e8563f13c017a409080604a4ee89d808c507346f9877b938dc771e3
Instruction ID: 5feab19f172e2a157ba23acba481e9e0704f8b8346f1e2369203c86be98f9148
Opcode Fuzzy Hash: ea7baf9b8e8563f13c017a409080604a4ee89d808c507346f9877b938dc771e3
Instruction Fuzzy Hash: 76215E35A00214AFD704EF69D889AAEBBE5FF48701F04846CE84AD7752CA34AD04CF90

Function 007FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 007FCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007FCDE9

Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 007FCE0F
_free.LIBCMT ref: 007FCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007FCE31

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c5c4377698c40a5cca6f1c963d0089b9db2140fe9c5a75aecf606609ea95a577
Instruction ID: 2dd39d26fa96b5d0ea6bf42ef8afcbdc20bf4927922c2ac97548dae54f06f957
Opcode Fuzzy Hash: c5c4377698c40a5cca6f1c963d0089b9db2140fe9c5a75aecf606609ea95a577
Instruction Fuzzy Hash: F4018472A0171D7F23221AB66D8CDBB796DEEC6BA1315012DFA05D7301EA6D8D0195F0

Function 007D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D9693
SelectObject.GDI32(?,00000000), ref: 007D96A2
BeginPath.GDI32(?), ref: 007D96B9
SelectObject.GDI32(?,00000000), ref: 007D96E2

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: df9e92dcdc1af6fe69215619716cace11b226a9f0a52555dc12bddd3e36186ab
Instruction ID: d86df606e073bfdd567d7daa37d796d1dac06124dbc2e54dabb1268f7c2af874
Opcode Fuzzy Hash: df9e92dcdc1af6fe69215619716cace11b226a9f0a52555dc12bddd3e36186ab
Instruction Fuzzy Hash: 5A215E30806306EFDF11AF65EC187A97FB8BB50366F984217F511A62B0D3799892CF94

Function 00825711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00825726
_memcmp.LIBVCRUNTIME ref: 00825744
_memcmp.LIBVCRUNTIME ref: 00825757
_memcmp.LIBVCRUNTIME ref: 0082576F
_memcmp.LIBVCRUNTIME ref: 00825787

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a41b76d6546ab49039c907c2c37a7802e0959804ba92bc35303e2228d9729d8e
Instruction ID: dfeb58b4bcc09ce28ae484b29b1b0c6ae9f5d4f5a7f6124f5bd00c8ff50e0b82
Opcode Fuzzy Hash: a41b76d6546ab49039c907c2c37a7802e0959804ba92bc35303e2228d9729d8e
Instruction Fuzzy Hash: 3E01F5716C2669FFD2089115AE86FBB734DFB243A9F404030FE04DA242F734ED5482A1

Function 007F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,007EF2DE,007F3863,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6), ref: 007F2DFD
_free.LIBCMT ref: 007F2E32
_free.LIBCMT ref: 007F2E59
SetLastError.KERNEL32(00000000,007C1129), ref: 007F2E66
SetLastError.KERNEL32(00000000,007C1129), ref: 007F2E6F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 12963d5f31efdec28e1b323d72ab891e414d67cfdba57a60065e14c8f0fc4980
Instruction ID: 3398ad435ec4d23e38243023221c4ee450bd55c791aa2c230f0f85f8d018e4ed
Opcode Fuzzy Hash: 12963d5f31efdec28e1b323d72ab891e414d67cfdba57a60065e14c8f0fc4980
Instruction Fuzzy Hash: 2301F43624570CEBC61267746C8DD7B2A59BBC17B5B340129FB21E23A3EA7C8C034520

Function 0082000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?,?,0082035E), ref: 0082002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?), ref: 00820064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820070

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 9b53beaf9ce4bc521a4243136f7655acf0a61b81b3992b8889a742f7350980e8
Instruction ID: 232f63ac15f5abd6575653fa9d3b1e5e76d3cad68122e55b567d3de37124282c
Opcode Fuzzy Hash: 9b53beaf9ce4bc521a4243136f7655acf0a61b81b3992b8889a742f7350980e8
Instruction Fuzzy Hash: 2601A276A00724BFEB104F68EC44BAA7AEDFF44752F144124F905D2222E775DD808FA0

Function 0082E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0082E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0082E9A5
Sleep.KERNEL32(00000000), ref: 0082E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0082E9B7
Sleep.KERNEL32 ref: 0082E9F3

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c10bf463f27f2a538d25b6879a1a78c8412d26c20016ed73b5c6feba069e9622
Instruction ID: fdc7a1f8d45e2e8203036776ad561e489e67a4b65a1f2d2fafd032fd18b0f6b9
Opcode Fuzzy Hash: c10bf463f27f2a538d25b6879a1a78c8412d26c20016ed73b5c6feba069e9622
Instruction Fuzzy Hash: ED010531C01A3DDBCF40ABE5E859AEDBB78FB09701F000556E502F2291CB3495948BA6

Function 008210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00821114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 0082112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082114D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 44a7f7026a636921c767a8ec5fdff2bf55f566764a6c5ae5db0e77e55be6fce3
Instruction ID: 3569eec15e3533e4d67b25a3f4af53c2c52a85fb0f3c77e6595099df428b8953
Opcode Fuzzy Hash: 44a7f7026a636921c767a8ec5fdff2bf55f566764a6c5ae5db0e77e55be6fce3
Instruction Fuzzy Hash: 97014675200315BFDB114BA8EC4DA6A3FAEFF892A1B200418FA41D2360EA35DC50CE60

Function 00820FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00820FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00820FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00820FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00820FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00821002

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 90389e75299a2ab56ca4404f1d2f52bd7c73eefa4457d6b6bd2dadd6ffefe834
Instruction ID: e94f0386d9b3379d889e94b37a777506565b4c839b2d7478b123d39492115a00
Opcode Fuzzy Hash: 90389e75299a2ab56ca4404f1d2f52bd7c73eefa4457d6b6bd2dadd6ffefe834
Instruction Fuzzy Hash: DDF04935240B15AFDB214FA5AC4DF5A3BADFF89B62F604414FA46C6291CA74DC808E60

Function 00821014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0082102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00821036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0082104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821062

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ab714eef816441c8fd6ea2b6e60cbbfa141733c05142948490fb4be0a32990ff
Instruction ID: cc6a4774cab0dd0a848ff6bb902f8d3644910f751a61712b16a37118e4d3ec68
Opcode Fuzzy Hash: ab714eef816441c8fd6ea2b6e60cbbfa141733c05142948490fb4be0a32990ff
Instruction Fuzzy Hash: 55F04935240B55AFDB219FA5EC4DF5A3BADFF89762F200414FA46C6290CA74D8808E60

Function 0083030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830324
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830331
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 0083033E
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 0083034B
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830358
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830365

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f9ed309813edaf03c1a124d14681fb5d975231f5aff9e740aec149f0d7083591
Instruction ID: 0032c67647c106c7a78eaedce86665800cc18e94ae45d8238dcdfcf610c3fd0a
Opcode Fuzzy Hash: f9ed309813edaf03c1a124d14681fb5d975231f5aff9e740aec149f0d7083591
Instruction Fuzzy Hash: C801A272800B159FCB309F66D890412F7F9FF903157158A3FD19692A31C371A954CF80

Function 007FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007FD752

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007FD764
_free.LIBCMT ref: 007FD776
_free.LIBCMT ref: 007FD788
_free.LIBCMT ref: 007FD79A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 629525ab6f0a0bc8770618741b5fc5bef7dd84ecbbaabc0474d4b72d0c84ef16
Instruction ID: 4b466713ea8e07440c39715a166b7fdad3b1d5eb9371f90eed8016521ef8a74b
Opcode Fuzzy Hash: 629525ab6f0a0bc8770618741b5fc5bef7dd84ecbbaabc0474d4b72d0c84ef16
Instruction Fuzzy Hash: AEF0FF3259420DAB8621FB68F9C5C3A7BDEBB447107A40805F258EB626C778FC808B74

Function 00825C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00825C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00825C6F
MessageBeep.USER32(00000000), ref: 00825C87
KillTimer.USER32(?,0000040A), ref: 00825CA3
EndDialog.USER32(?,00000001), ref: 00825CBD

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 117d3687f61f19dcfdfe37ffa49d38e08f743ea562641f5290d9f033d277b3f6
Instruction ID: be93153f7922a6dd4a2b4dfb98b64f5fb8adb85983f935eb60e50cb974736ca3
Opcode Fuzzy Hash: 117d3687f61f19dcfdfe37ffa49d38e08f743ea562641f5290d9f033d277b3f6
Instruction Fuzzy Hash: D3018170540B14AFEB215B50ED5EFA677F8FB14B46F00055DA583A14E1EBF8AA888E90

Function 007F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007F22BE

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007F22D0
_free.LIBCMT ref: 007F22E3
_free.LIBCMT ref: 007F22F4
_free.LIBCMT ref: 007F2305

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a053191d2170143411ca281ee17f3c04803022c0f7929e7c9d1c13586ae210da
Instruction ID: b09b7e83b4da207c761f31d64458a099ffb1cf29526ffe48f95ba08b8d7f3a2b
Opcode Fuzzy Hash: a053191d2170143411ca281ee17f3c04803022c0f7929e7c9d1c13586ae210da
Instruction Fuzzy Hash: 3FF05E71884126CF8A12FF98BC098283B64FB18760709051BF514E73BACB781912AFE4

Function 007D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007D95D4
StrokeAndFillPath.GDI32(?,?,008171F7,00000000,?,?,?), ref: 007D95F0
SelectObject.GDI32(?,00000000), ref: 007D9603
DeleteObject.GDI32 ref: 007D9616
StrokePath.GDI32(?), ref: 007D9631

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0cda37a1c8c9d015bd3f06d78e705aea3f876c1ac1016f7e6cdf57e3a815b092
Instruction ID: 27402454472b09c5f3559e180611679818d6faa00f35da472488d6414ebf786c
Opcode Fuzzy Hash: 0cda37a1c8c9d015bd3f06d78e705aea3f876c1ac1016f7e6cdf57e3a815b092
Instruction Fuzzy Hash: 4FF01930009705EFDB126F65ED1C7A43F71BB00362F488216F525551F0D73989A1DF20

Function 007F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007F10F9
__freea.LIBCMT ref: 007F1117

Part of subcall function 007F1537: _free.LIBCMT ref: 007F154F

Strings

am/pm, xrefs: 007F117A
a/p, xrefs: 007F11DE

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 1d7ae476ff71016067041c16f9a02aa4ffafda2fc4de4797d6ed169b27533bc6
Instruction ID: 22b0d142463c0148510520220dc809f79f6fb38a8bdacde15bd3e6d93c48ddd7
Opcode Fuzzy Hash: 1d7ae476ff71016067041c16f9a02aa4ffafda2fc4de4797d6ed169b27533bc6
Instruction Fuzzy Hash: 31D1F231A1020ECADB289F68C855BFAB7B1FF06310FA84159EB11AB751D77D9D80CB91

Function 00847B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 007E0242: EnterCriticalSection.KERNEL32(0089070C,00891884,?,?,007D198B,00892518,?,?,?,007C12F9,00000000), ref: 007E024D
Part of subcall function 007E0242: LeaveCriticalSection.KERNEL32(0089070C,?,007D198B,00892518,?,?,?,007C12F9,00000000), ref: 007E028A

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 007E00A3: __onexit.LIBCMT ref: 007E00A9

__Init_thread_footer.LIBCMT ref: 00847BFB

Part of subcall function 007E01F8: EnterCriticalSection.KERNEL32(0089070C,?,?,007D8747,00892514), ref: 007E0202
Part of subcall function 007E01F8: LeaveCriticalSection.KERNEL32(0089070C,?,007D8747,00892514), ref: 007E0235

Strings

5, xrefs: 00847C78
Variable must be of type 'Object'., xrefs: 00847C3A
G, xrefs: 00847C7F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: edd12634db1a715dbabd06aa07c8f622c474b2b9112bb21f0794287b56113b46
Instruction ID: ef7cd21b62c6156295a73a82e1d2203ad2e6033f106e0a7586cc0ac66c968948
Opcode Fuzzy Hash: edd12634db1a715dbabd06aa07c8f622c474b2b9112bb21f0794287b56113b46
Instruction Fuzzy Hash: AE915674A0420DEFCB14EF98D895EADB7B2FF48304F148059F806AB292DB75AE45CB51

Function 007F5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO|, xrefs: 007F5BA8, 007F5C6C

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID: JO|
API String ID: 0-2887696345
Opcode ID: da214a9845865a79e57d21e2c12ceae0c728f570d0631f369fd87d4b4c08297e
Instruction ID: a67a72bab9d489e23be8fca55af7aeadfa73f7c8e4f6e39d7b836146dfa1bf57
Opcode Fuzzy Hash: da214a9845865a79e57d21e2c12ceae0c728f570d0631f369fd87d4b4c08297e
Instruction Fuzzy Hash: 7A518EB1901A0EEFCB11AFA5C849ABE7BB8BF49310F14015AF705A7391D7799A01CB61

Function 007F8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 007F8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 007F8B7A
__dosmaperr.LIBCMT ref: 007F8B81

Strings

.~, xrefs: 007F8A63

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .~
API String ID: 2434981716-505086709
Opcode ID: 06c9cedee000b3643ffa922ffe08edd86ed2f58d1ddb415cddddf5bc1c4b05b8
Instruction ID: 53e013105071bac08744e369e43c686731152807fdb14b0ebaf3739e80d320f7
Opcode Fuzzy Hash: 06c9cedee000b3643ffa922ffe08edd86ed2f58d1ddb415cddddf5bc1c4b05b8
Instruction Fuzzy Hash: 65419FF160414DAFCB659F24DC85A7D7FA5EB85300F2C819AFA548B742DE39CD028751

Function 00822716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0082B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008221D0,?,?,00000034,00000800,?,00000034), ref: 0082B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00822760

Part of subcall function 0082B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0082B3F8

Part of subcall function 0082B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0082B355
Part of subcall function 0082B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00822194,00000034,?,?,00001004,00000000,00000000), ref: 0082B365
Part of subcall function 0082B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00822194,00000034,?,?,00001004,00000000,00000000), ref: 0082B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0082281A

Strings

@, xrefs: 00822832

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 537734bcbd890846e3fb703cbd10248cc1bd5cb9bb2d841982b1a5c78724e1f1
Instruction ID: 52a7d83939bb32342cd8a9e66307ccdbe18699a006442b9dfa788c57945e0e7c
Opcode Fuzzy Hash: 537734bcbd890846e3fb703cbd10248cc1bd5cb9bb2d841982b1a5c78724e1f1
Instruction Fuzzy Hash: 1B411D72901228BFDB10DBA8DD85ADEBBB8FF09700F104099FA55B7181DB706E85CB61

Function 007F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 007F1769
_free.LIBCMT ref: 007F1834
_free.LIBCMT ref: 007F183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 007F1760, 007F1767, 007F1796, 007F17CE

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: e37fe49537fac19dcb975639e2008a42ca2ed98eed218bed614219c97bd8f844
Instruction ID: 5b4b43f379e86c97f901c489aafd69bf65d0d70809f80cc8920109a4eadae799
Opcode Fuzzy Hash: e37fe49537fac19dcb975639e2008a42ca2ed98eed218bed614219c97bd8f844
Instruction Fuzzy Hash: 92319D71A0420CEFCB21EB999989DAEBBFCEB85360F544166EA0497311D6748A40CBA0

Function 0082C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0082C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0082C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00891990,01345618), ref: 0082C395

Strings

0, xrefs: 0082C2DF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 3c046e6a37e4dd0f631699c06c813209673b0c1ce5af2ccdf63861f92b755cde
Instruction ID: 128aece3e6d6ece3a6cf61edda215c54705176c0038d0b54b4e41d7889d0eb3d
Opcode Fuzzy Hash: 3c046e6a37e4dd0f631699c06c813209673b0c1ce5af2ccdf63861f92b755cde
Instruction Fuzzy Hash: F0418B31204351AFD720DF29E888B6EBBA8FF85324F008A1DE9A5D7391D734A944CB52

Function 00854416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0085CC08,00000000,?,?,?,?), ref: 008544AA
GetWindowLongW.USER32 ref: 008544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008544D7

Strings

SysTreeView32, xrefs: 0085447C

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7b68cad5e425434258f72db2135e4b73d5e7b86a56e03699d86456a2615fbd19
Instruction ID: 355c2fb02c6827ded6fd2ec976502b933cd69d373269591bfa9f7dae780935e3
Opcode Fuzzy Hash: 7b68cad5e425434258f72db2135e4b73d5e7b86a56e03699d86456a2615fbd19
Instruction Fuzzy Hash: 63318B31240205AFDF209E38DC45BEA7BA9FB08329F205319F979E22D0D774EC949B50

Function 0084304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0084335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00843077,?,?), ref: 00843378

inet_addr.WSOCK32(?), ref: 0084307A
_wcslen.LIBCMT ref: 0084309B
htons.WSOCK32(00000000), ref: 00843106

Strings

255.255.255.255, xrefs: 00843095, 0084309A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 8d79af8b35a8a033d5ad43b0b9ad0d1321e0cb216cec5397a229b727a2384e8f
Instruction ID: d9dbc7e93298c3ee8366971cbf3525f9d85876962c6f796028eeb9b8cf52437a
Opcode Fuzzy Hash: 8d79af8b35a8a033d5ad43b0b9ad0d1321e0cb216cec5397a229b727a2384e8f
Instruction Fuzzy Hash: CE31E435200209DFDB10CF68C485EAA77E0FF14318F248199E915DB392DB76EE45CB60

Function 00853EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00853F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00853F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00853F78

Strings

SysMonthCal32, xrefs: 00853F0B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: aa35f7d4928ad424f19daf9edbe040ed468d099a39f294c8d66d6e593ff82f16
Instruction ID: 5286916e50c78f6e440909814958b523427afde67c3890de5c71e8890f6d25a9
Opcode Fuzzy Hash: aa35f7d4928ad424f19daf9edbe040ed468d099a39f294c8d66d6e593ff82f16
Instruction Fuzzy Hash: 0221AB32600219BFDF219E54DC46FEA3BB9FB48754F110218FE15BB190DAB5A9948BA0

Function 00854653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00854705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00854713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0085471A

Strings

msctls_updown32, xrefs: 00854684

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c8196ba334c455552098e150af1f54643bbb000433f063c12b92c3c1a8c64714
Instruction ID: aae452a5ebf7ed9e473ab555d490c1b27bd4e8ecd5b36888bfe76eea4101807d
Opcode Fuzzy Hash: c8196ba334c455552098e150af1f54643bbb000433f063c12b92c3c1a8c64714
Instruction Fuzzy Hash: 97218CB5604209AFEB11DF68DCC5DA737EDFB5A3A9B041049FA01DB291CB30EC55CA60

Function 008295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0082961D

Strings

#notrayicon, xrefs: 008295B7
#OnAutoItStartRegister, xrefs: 008295F3
#requireadmin, xrefs: 008295D9

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 82607a9482cb9557e82240882f2a68ee690c8cf3c9761b97f68a78a8e298981f
Instruction ID: 31c2173baf76b92fe582a649a8e87ad42954119a2430a85f95d74732c5b524b4
Opcode Fuzzy Hash: 82607a9482cb9557e82240882f2a68ee690c8cf3c9761b97f68a78a8e298981f
Instruction Fuzzy Hash: 0F213832204530A6D331AA25AD06FB773D8FF65314F10402AF9DAD7182EB59AD85C2A6

Function 008537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00853840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00853850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00853876

Strings

Listbox, xrefs: 0085380F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b55cf22dea26d95d0ec8678349f5891e6237ec98eda1694b4690ccea49e323a9
Instruction ID: f4d366058e3a799d404ed15193cc4b30c15f20a512c77937d136f299ba489a18
Opcode Fuzzy Hash: b55cf22dea26d95d0ec8678349f5891e6237ec98eda1694b4690ccea49e323a9
Instruction Fuzzy Hash: 2921CF72600218BBEF219FA4CC85FBB376EFF89791F108124F910AB190C675DC568BA0

Function 008349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00834A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00834A5C
SetErrorMode.KERNEL32(00000000,?,?,0085CC08), ref: 00834AD0

Strings

%lu, xrefs: 00834A6F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 5eca4f84ae38b7c90ef4fac08867831c3278b49fca097d9bd18195842733be8c
Instruction ID: 12c3b554e7d51a88f234f2c714a43583ea733e0c2bdbebdce204673cb5744fb0
Opcode Fuzzy Hash: 5eca4f84ae38b7c90ef4fac08867831c3278b49fca097d9bd18195842733be8c
Instruction Fuzzy Hash: 75312F75A00219AFDB10DF64C885EAA7BF8FF44308F144099F905DB252DB75ED45CBA1

Function 008541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0085424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00854264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00854271

Strings

msctls_trackbar32, xrefs: 00854226

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e4a16bb6fe39a6c711659c991ee998de3da4701e9820099438fd145db8a76c04
Instruction ID: db852f0bed99de2bb0af5f6253555947620930a5ebab7396c8542192b94dbeab
Opcode Fuzzy Hash: e4a16bb6fe39a6c711659c991ee998de3da4701e9820099438fd145db8a76c04
Instruction Fuzzy Hash: 0011E331240208BEEF205E29CC46FAB3BACFF95B59F110128FA55E2090D271D8519B20

Function 00822F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

Part of subcall function 00822DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00822DC5
Part of subcall function 00822DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00822DD6
Part of subcall function 00822DA7: GetCurrentThreadId.KERNEL32 ref: 00822DDD
Part of subcall function 00822DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00822DE4

GetFocus.USER32 ref: 00822F78

Part of subcall function 00822DEE: GetParent.USER32(00000000), ref: 00822DF9

GetClassNameW.USER32(?,?,00000100), ref: 00822FC3
EnumChildWindows.USER32(?,0082303B), ref: 00822FEB

Strings

%s%d, xrefs: 00822FFF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: d6b353ed4bbe74df5d29c7011d60f4c7b01ac30b13f6066384692d3eb19a621e
Instruction ID: 28e1b67a8f1a6981317948b519559db1e2a9e772bf88d565a7704fa514e255f7
Opcode Fuzzy Hash: d6b353ed4bbe74df5d29c7011d60f4c7b01ac30b13f6066384692d3eb19a621e
Instruction Fuzzy Hash: 0A11C3B1200219ABCF00BF749C95EED37AAFF94304F044079B909DB252DE385E898B70

Function 00855882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008558EE
DrawMenuBar.USER32(?), ref: 008558FD

Strings

0, xrefs: 0085588F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: c7f08ac3406b1aeaf36acffd6d39ce91a977e8217405e1d399f206c4872d938a
Instruction ID: b52ef3680a142ca8e605d10eb1fc9acf687747e4c1f485f275cf3ae79e1bd4ef
Opcode Fuzzy Hash: c7f08ac3406b1aeaf36acffd6d39ce91a977e8217405e1d399f206c4872d938a
Instruction Fuzzy Hash: B9018431500218EFDB119F51EC44BAEBFB5FF45362F108099E849D6261DB348A84DF71

Function 0082007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1ba45a9a6bcafaabb07d66c7de0194aae1644734704b8a8a26d689d5317f57
Instruction ID: 7d64030a5e0f8e819c4666b7c5538d55c01e897be25b79c729ded36bdeedeccd
Opcode Fuzzy Hash: 4c1ba45a9a6bcafaabb07d66c7de0194aae1644734704b8a8a26d689d5317f57
Instruction Fuzzy Hash: 7BC14C75A0021AEFDB14CF94D898AAEB7B5FF48704F108599E905EB252D731ED81CF90

Function 0084342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00843459
CoUninitialize.OLE32 ref: 00843463
VariantInit.OLEAUT32(?), ref: 0084346E
VariantClear.OLEAUT32(?), ref: 0084371B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 22e74d9f8751b7a59706bb1fd5ecdfdab9faae4aafb13582f32f20ee619436c5
Instruction ID: 4f440d179eb729dfa824147b5150c142c5a8045f8e4f3a0985fd8b0a94028689
Opcode Fuzzy Hash: 22e74d9f8751b7a59706bb1fd5ecdfdab9faae4aafb13582f32f20ee619436c5
Instruction Fuzzy Hash: 08A103756042059FCB14DF28C489A2AB7E5FF88714F05885DF98A9B362DB34EE01DB92

Function 00820436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0085FC08,?), ref: 008205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0085FC08,?), ref: 00820608
CLSIDFromProgID.OLE32(?,?,00000000,0085CC40,000000FF,?,00000000,00000800,00000000,?,0085FC08,?), ref: 0082062D
_memcmp.LIBVCRUNTIME ref: 0082064E

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: f68f0d4ad1bfba5b10d021aed5568333e5a0f3a16c14fb499d1e9e7b4f2a3065
Instruction ID: 53fe8ba2a88d9ca97c8c23a092149137d7bf719d110a2073ea032cb953b959e3
Opcode Fuzzy Hash: f68f0d4ad1bfba5b10d021aed5568333e5a0f3a16c14fb499d1e9e7b4f2a3065
Instruction Fuzzy Hash: 07810771A00219EFCB04DF94C988EEEB7B9FF89315B204558E506EB251DB71AE46CF60

Function 0084A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0084A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0084A6BA

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0084A79C
CloseHandle.KERNEL32(00000000), ref: 0084A7AB

Part of subcall function 007DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00803303,?), ref: 007DCE8A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 79d2fd1d973c005c0f291dd785fdd0d83466c8164c8766abc8e3f67b380a387b
Instruction ID: 523f56c5f873a8b90e4cba52363b5b4912c4fe2d6dc45e9f15c2af0e2b729e7d
Opcode Fuzzy Hash: 79d2fd1d973c005c0f291dd785fdd0d83466c8164c8766abc8e3f67b380a387b
Instruction Fuzzy Hash: 03511971508700AFD714EF24D88AE6BBBE8FF89754F40492DF58597251EB34E904CB92

Function 00801391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008014C0

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f218650dcca3b4f93090d9207095d71c3a6ad1f06bbc63f424e1f9b1e8971d81
Instruction ID: e570cc2bcf11f84f34dfc4d93e27ae780fd6d88acad25d6668cca0c23b74ed56
Opcode Fuzzy Hash: f218650dcca3b4f93090d9207095d71c3a6ad1f06bbc63f424e1f9b1e8971d81
Instruction Fuzzy Hash: 94415D32600948EBDF616FBD8C8D6BE3AAAFF45330F144225F618D72E2E73848415766

Function 00856278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008562E2
ScreenToClient.USER32(?,?), ref: 00856315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00856382

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7c7a7ca3302acaf76b3745099a3f4269ae9807294e8283ba0e73cf8ae33a4167
Instruction ID: 1be255b0b380951854d75fb57ba03486aa54f5ad3581d8347083bc47885e72d3
Opcode Fuzzy Hash: 7c7a7ca3302acaf76b3745099a3f4269ae9807294e8283ba0e73cf8ae33a4167
Instruction Fuzzy Hash: BB513A74A00209EFCF10DF68D884AAE7BB6FB45365F508169F815DB2A0E730ED95CB50

Function 00841AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00841AFD
WSAGetLastError.WSOCK32 ref: 00841B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00841B8A
WSAGetLastError.WSOCK32 ref: 00841B94

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: efc7d14a1602e66942e46b88efcaafae91ded40abf813051e33f0cfff80da6dd
Instruction ID: a2fc383f17477b83c81b539f096b06adcde398b0c2af4fb343e56d8a41f145c9
Opcode Fuzzy Hash: efc7d14a1602e66942e46b88efcaafae91ded40abf813051e33f0cfff80da6dd
Instruction Fuzzy Hash: C6417035640304AFEB20AF24C88AF2977E5EB44718F54845CF91A9F7D2D776DD828B90

Function 007FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5fa1af4f0bddc5b69b3c690a3e106c13dead4a2a29c2c2a590fae8327b4119
Instruction ID: 413225fe76d7a2a60b8d8c35c765c48d7531b05ebcc46b1e472430f4e3de0cfb
Opcode Fuzzy Hash: fb5fa1af4f0bddc5b69b3c690a3e106c13dead4a2a29c2c2a590fae8327b4119
Instruction Fuzzy Hash: 63412B75900748FFD7249F78CC45B7E7BA9EB88710F10452AF251DB782D779A9018B90

Function 008356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00835783
GetLastError.KERNEL32(?,00000000), ref: 008357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008357FA

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c5aa0cdebd00a23d008b3e6e19230e08204e92db08d51865cbf24d8120e13f87
Instruction ID: ba814c03e74319007079451c990c9fb31dfbc9b915675602eac088d0dd1be42a
Opcode Fuzzy Hash: c5aa0cdebd00a23d008b3e6e19230e08204e92db08d51865cbf24d8120e13f87
Instruction Fuzzy Hash: 7D410735600610DFCB15DF15D445A5ABBE2FF89320B18889CE84AAB362CB38FD41DF91

Function 007FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,007E6D71,00000000,00000000,007E82D9,?,007E82D9,?,00000001,007E6D71,?,00000001,007E82D9,007E82D9), ref: 007FD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007FD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 007FD9AB
__freea.LIBCMT ref: 007FD9B4

Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6,?,007C1129), ref: 007F3852

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4bcb5c6cb6de51fe7ba2c6927e3370973df0d8acb46dd037493df8300425fe2f
Instruction ID: a67935a3ce5eb81ecab97033b5f7cf2dfe53a34acc22a89c0e193ae56958b834
Opcode Fuzzy Hash: 4bcb5c6cb6de51fe7ba2c6927e3370973df0d8acb46dd037493df8300425fe2f
Instruction Fuzzy Hash: 2F31CF72A0020AABDF25DFA9DC45EBE7BA6EB40310F054168FD04D7251EB79ED50CBA0

Function 008552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00855352
GetWindowLongW.USER32(?,000000F0), ref: 00855375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00855382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008553A8

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 2c50d99ed814273fa30d42a3b093c1984075b7da759e951f273ec42e5eef5ce9
Instruction ID: e8cd6899bd0ab7a2b5b42fc489343332621e904d830cd5821d90f3efa52701f0
Opcode Fuzzy Hash: 2c50d99ed814273fa30d42a3b093c1984075b7da759e951f273ec42e5eef5ce9
Instruction Fuzzy Hash: BE31C134A55A0CEFEF209F14CC25BE977A2FB06392F584016BE19D63E0C7B499889B41

Function 0082AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0082ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0082AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0082AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0082ACC6

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 991fefb9558f6b69e8864a085315d1eb05e0034dfecd813a4c965c7aea39001e
Instruction ID: 24052af6ce448196f9b2b067141f0039d0165826be30b34962ea66a05c7ec4cc
Opcode Fuzzy Hash: 991fefb9558f6b69e8864a085315d1eb05e0034dfecd813a4c965c7aea39001e
Instruction Fuzzy Hash: 5931F430A04728AFFF298B65EC047FA7BAAFF89310F04421AE485D21D1D3798AC58752

Function 00857674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0085769A
GetWindowRect.USER32(?,?), ref: 00857710
PtInRect.USER32(?,?,00858B89), ref: 00857720
MessageBeep.USER32(00000000), ref: 0085778C

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1f2948ca9719b7853ec5893925d5bf984f78b400f7dd8e76d685caa8fc001746
Instruction ID: 609ccaca42d67f0bf5e93689ede672ed168918dbdd3e20146ad2731dc25f36d6
Opcode Fuzzy Hash: 1f2948ca9719b7853ec5893925d5bf984f78b400f7dd8e76d685caa8fc001746
Instruction Fuzzy Hash: 2641AD34609255DFDB02DF58E898EA9BBF5FB49306F1880A9E814DB261C330A949CF90

Function 008516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008516EB

Part of subcall function 00823A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00823A57
Part of subcall function 00823A3D: GetCurrentThreadId.KERNEL32 ref: 00823A5E
Part of subcall function 00823A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008225B3), ref: 00823A65

GetCaretPos.USER32(?), ref: 008516FF
ClientToScreen.USER32(00000000,?), ref: 0085174C
GetForegroundWindow.USER32 ref: 00851752

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ad2e878fa0ff8f4e864c27a6cf8d79bd52c0d8f1622bb6f1766402e5c7fa870c
Instruction ID: 04a69b51a870e35e28ef122b794e44ddc43f43ff39989d8b4204309de9d7ab0d
Opcode Fuzzy Hash: ad2e878fa0ff8f4e864c27a6cf8d79bd52c0d8f1622bb6f1766402e5c7fa870c
Instruction Fuzzy Hash: 6F313E75D00249AFCB04EFA9C885DAEBBF9FF48304B5480AEE415E7211DA359E45CBA1

Function 0082DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625

_wcslen.LIBCMT ref: 0082DFCB
_wcslen.LIBCMT ref: 0082DFE2
_wcslen.LIBCMT ref: 0082E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0082E018

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: f27b4e73555e0260274fff650ec71c75b08899ff1401c56ef39be1da0e8b4004
Instruction ID: f318add96121162892f79d7ade78423c1ff7835f9521668e412c3f6a29784d7c
Opcode Fuzzy Hash: f27b4e73555e0260274fff650ec71c75b08899ff1401c56ef39be1da0e8b4004
Instruction Fuzzy Hash: E521B171900624EFCB209FA8D981B6EBBF8FF49750F104065E805FB382D6749E818BA1

Function 00858FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

GetCursorPos.USER32(?), ref: 00859001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00817711,?,?,?,?,?), ref: 00859016
GetCursorPos.USER32(?), ref: 0085905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00817711,?,?,?), ref: 00859094

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e14fd1bd24b8d8e3f5b4b5ebae8a5a7e80222a81d2d1d94d0521e65e5371bce3
Instruction ID: c69c3879374902e2e466c2d9886451ff89435fbb8b47fa7ac6ced40be3fa3961
Opcode Fuzzy Hash: e14fd1bd24b8d8e3f5b4b5ebae8a5a7e80222a81d2d1d94d0521e65e5371bce3
Instruction Fuzzy Hash: 0221BF31600518EFCF268F94CC58EEB7BF9FB89352F044465F945872A1D335A950EB60

Function 0082D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0085CB68), ref: 0082D2FB
GetLastError.KERNEL32 ref: 0082D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0082D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0085CB68), ref: 0082D376

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b58a0945bb755a47b7df7b65c722a483ef2751fa63662cfb1d9c4e2b472866a4
Instruction ID: a6d9573114525e602ebcbe2a594d8c9e3847fd7d23cea738501b5e990c48854e
Opcode Fuzzy Hash: b58a0945bb755a47b7df7b65c722a483ef2751fa63662cfb1d9c4e2b472866a4
Instruction Fuzzy Hash: 39219F70508311DF8700DF28D8898AABBE4FE56324F504A1DF4A9C33A1E734D98ACB93

Function 00821571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00821014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0082102A
Part of subcall function 00821014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00821036
Part of subcall function 00821014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821045
Part of subcall function 00821014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0082104C
Part of subcall function 00821014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008215BE
_memcmp.LIBVCRUNTIME ref: 008215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00821617
HeapFree.KERNEL32(00000000), ref: 0082161E

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 11bf09595ec9e03b67b6cc3d67939dad841457bc89335d38b2f36455a6e38c4d
Instruction ID: 548ca70d21ef131f97330c38f53191bb6600d5ac9cf41f4a68769964a0992021
Opcode Fuzzy Hash: 11bf09595ec9e03b67b6cc3d67939dad841457bc89335d38b2f36455a6e38c4d
Instruction Fuzzy Hash: D5215771E40218AFDF00DFA4D949BEEB7B8FF64355F284459E441AB241E734AA85CBA0

Function 00852782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0085280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00852824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00852832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00852840

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 58c70192a1b0a72eabb65696714a213e97d4ad5872fbb6ca523a8122115fbdc6
Instruction ID: 135b8702c580bfc6f1af81fd9ca0debe89e4ddeaa441b78b99176e347ebab15a
Opcode Fuzzy Hash: 58c70192a1b0a72eabb65696714a213e97d4ad5872fbb6ca523a8122115fbdc6
Instruction Fuzzy Hash: A621E031204211AFD715DB24C845FAA7B95FF4A326F14825CF826CB2E2CB75EC86CB90

Function 008278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00828D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0082790A,?,000000FF,?,00828754,00000000,?,0000001C,?,?), ref: 00828D8C
Part of subcall function 00828D7D: lstrcpyW.KERNEL32(00000000,?,?,0082790A,?,000000FF,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00828DB2
Part of subcall function 00828D7D: lstrcmpiW.KERNEL32(00000000,?,0082790A,?,000000FF,?,00828754,00000000,?,0000001C,?,?), ref: 00828DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00827923
lstrcpyW.KERNEL32(00000000,?,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00827949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00827984

Strings

cdecl, xrefs: 0082797B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 00f65486e3f209acd1a6f65d88a6f624f1a862e3f3d569c2ce592dfb8ab76ffc
Instruction ID: 4cc5b1b5e32f759570d65d661da070cf690511eb82e05ad73b72eff9e56fb58e
Opcode Fuzzy Hash: 00f65486e3f209acd1a6f65d88a6f624f1a862e3f3d569c2ce592dfb8ab76ffc
Instruction Fuzzy Hash: 7111E93A200311AFCB155F39E845D7A7BA9FF45354B50402AF946C73A4EB359891C761

Function 00857CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00857D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00857D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00857D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0083B7AD,00000000), ref: 00857D6B

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 29f16de3eb94c9bb900f0b231cf287ea3ce600ce1b4e9cd865cbf041b7f5d40e
Instruction ID: f0f9018e7c997cd12c22e31e2df93de26678e26fd412caddc2f7743dda57f0fa
Opcode Fuzzy Hash: 29f16de3eb94c9bb900f0b231cf287ea3ce600ce1b4e9cd865cbf041b7f5d40e
Instruction Fuzzy Hash: F511C031208615AFCB119F68DC08A663BA5FF45362B158325FC35D72F0E7319D58CB40

Function 00855660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008556BB
_wcslen.LIBCMT ref: 008556CD
_wcslen.LIBCMT ref: 008556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00855816

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e30a79a35be292e8237882c49a82506f22a3ba703430d72d5a24d931fdfb661a
Instruction ID: 80497c34372689ac38e4326afe80b6442c9c87ac5399206bfb02d56bc2cf8b68
Opcode Fuzzy Hash: e30a79a35be292e8237882c49a82506f22a3ba703430d72d5a24d931fdfb661a
Instruction Fuzzy Hash: 78110375600608E6DF209FA1DC95AEE3BBCFF10766B10402AFD15E6081E774DA88CF64

Function 007F1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3050c6b89a94a2da6877be7a2bf7eeb29d4950a81342bfa2c0bc8c1d3c2bc4
Instruction ID: 29c6ff9fcc1fb595059bcf3d7e687bb26dd0a1592f650bccda71a47bba365e93
Opcode Fuzzy Hash: fd3050c6b89a94a2da6877be7a2bf7eeb29d4950a81342bfa2c0bc8c1d3c2bc4
Instruction Fuzzy Hash: FB018BB2319A1EBEF62126786CC4F37662DEF413B8F750329F721A13D2DB689C005660

Function 00821A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00821A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00821A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00821A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00821A8A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 012da72f200f9bf224f970f9dd1878b903616105602654dd20fd819a93dc95a5
Instruction ID: 3ffa6e1ff2079fc697f31343067d5e5f9579d6a7540f9d3ea07929b0e88bffdc
Opcode Fuzzy Hash: 012da72f200f9bf224f970f9dd1878b903616105602654dd20fd819a93dc95a5
Instruction Fuzzy Hash: 4411273A901229FFEF109BA4C985FADBB78FB18750F2000A1EA01B7290D7716E50DB94

Function 0082E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0082E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0082E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0082E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0082E24D

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 316a44e6096717b84bf5cc66827918ef1a64143ec1915203cd7204a4afc3a186
Instruction ID: 018cd9a0417559ca4fcb9066f1fe4e6784fbd834559024f2f95850d4f93fd64c
Opcode Fuzzy Hash: 316a44e6096717b84bf5cc66827918ef1a64143ec1915203cd7204a4afc3a186
Instruction Fuzzy Hash: A211C876904369FFCB019FA8AC09A9E7FACFB45311F144256F925E3391D7788D448BA0

Function 007ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,007ECFF9,00000000,00000004,00000000), ref: 007ED218
GetLastError.KERNEL32 ref: 007ED224
__dosmaperr.LIBCMT ref: 007ED22B
ResumeThread.KERNEL32(00000000), ref: 007ED249

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ecb72ffcaba6a0084995e957d87dcbd38a3c3bfdf587210f562755fbe667050c
Instruction ID: 05dfce3369ded3d257633fa17cbe80c208fd1aa6d83d913b8147c74408f35b40
Opcode Fuzzy Hash: ecb72ffcaba6a0084995e957d87dcbd38a3c3bfdf587210f562755fbe667050c
Instruction Fuzzy Hash: C501D636807248BFC7215BA7DC09BAE7A6DFF89731F104219FA25961D0DB798D01C6A1

Function 00859EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

GetClientRect.USER32(?,?), ref: 00859F31
GetCursorPos.USER32(?), ref: 00859F3B
ScreenToClient.USER32(?,?), ref: 00859F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00859F7A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 05d8768b3fceffb0052efa7f61347578bdad4d12f4b9a33e822e1c081bad0ba3
Instruction ID: 02d741674c75b294bcc8406181425a1842afa251f4f59c546544cf0642cdeca8
Opcode Fuzzy Hash: 05d8768b3fceffb0052efa7f61347578bdad4d12f4b9a33e822e1c081bad0ba3
Instruction Fuzzy Hash: 0911183290021AEFDF10EFA9D8899EE77B9FB45312F400455F951E3150DB34BA89CBA1

Function 007C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007C604C
GetStockObject.GDI32(00000011), ref: 007C6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 007C606A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 258b484dc80b37fff443c0149232558a5f0dc52f5abd0e21c627a19bd228206c
Instruction ID: bf4baeca850e2db19c7020c8150d29feeee5a47227792aba920921385075aa40
Opcode Fuzzy Hash: 258b484dc80b37fff443c0149232558a5f0dc52f5abd0e21c627a19bd228206c
Instruction Fuzzy Hash: F7115E72501609BFEF125F949C84FEA7BA9FF18755F050119FA1562110D73A9CA09F90

Function 007E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 007E3B56

Part of subcall function 007E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 007E3AD2
Part of subcall function 007E3AA3: ___AdjustPointer.LIBCMT ref: 007E3AED

_UnwindNestedFrames.LIBCMT ref: 007E3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 007E3B7C
CallCatchBlock.LIBVCRUNTIME ref: 007E3BA4

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 4b22b94fcf7a57680e310593f851e22bec77f6833764d96f381c090a273ea2aa
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 04012972101189BBDF126E96CC4AEEB3B6EEF8C754F044014FE4896121C73AE961DBA0

Function 007F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007C13C6,00000000,00000000,?,007F301A,007C13C6,00000000,00000000,00000000,?,007F328B,00000006,FlsSetValue), ref: 007F30A5
GetLastError.KERNEL32(?,007F301A,007C13C6,00000000,00000000,00000000,?,007F328B,00000006,FlsSetValue,00862290,FlsSetValue,00000000,00000364,?,007F2E46), ref: 007F30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,007F301A,007C13C6,00000000,00000000,00000000,?,007F328B,00000006,FlsSetValue,00862290,FlsSetValue,00000000), ref: 007F30BF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 759bf9fbc23ee342007876943f9aa64ef946c5ff1bd791a5f275f9fedff6b5ae
Instruction ID: 543377cf383ee4bbef506858192cd46cd8d86d67dcf1b289f34dc980345c7c89
Opcode Fuzzy Hash: 759bf9fbc23ee342007876943f9aa64ef946c5ff1bd791a5f275f9fedff6b5ae
Instruction Fuzzy Hash: 1D01D43230132AAFCB214A799C449777B9AAF05BA1B210721FA06E3340CF29D941CAE0

Function 00827464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0082747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00827497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008274CA

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f28ae5105384577044e8e08f0e292d5cfa37e63f0e16f7aef19c06d6115554d8
Instruction ID: 73266e8d6abfd8105bf035138071218a265140cfb0f16e048aab876064ed12d0
Opcode Fuzzy Hash: f28ae5105384577044e8e08f0e292d5cfa37e63f0e16f7aef19c06d6115554d8
Instruction Fuzzy Hash: 7811ADB1205325AFE720AF15EC08FA27BFCFB00B04F508569E616D6191D7B4E984DFA5

Function 0082B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B126

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e836b0a1da72951e91dc024a30b3f3502ce77d8c6ef12fa0579bc7fb5447cae1
Instruction ID: e6fbef56875121e685d5b8f0d59841209ee78f8a7e869b2d9bec725b244dde7c
Opcode Fuzzy Hash: e836b0a1da72951e91dc024a30b3f3502ce77d8c6ef12fa0579bc7fb5447cae1
Instruction Fuzzy Hash: A5112D31D02A3DEBCF00AFE4E9696EEBF78FF49711F114096D941B2281DB3456A08B55

Function 00857E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00857E33
ScreenToClient.USER32(?,?), ref: 00857E4B
ScreenToClient.USER32(?,?), ref: 00857E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00857E8A

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2e81e821390bba8f8d604917e8b64d6eeaa45bcf3d8369c8c11a29b130561c93
Instruction ID: ef86cc1fbcb15181534fca9c5803ca6621c9b61d49b80c5a6478b3bc320ea94e
Opcode Fuzzy Hash: 2e81e821390bba8f8d604917e8b64d6eeaa45bcf3d8369c8c11a29b130561c93
Instruction Fuzzy Hash: E41142B9D0020AAFDB41CF98D884AEEBBF9FF18311F509066E915E3210D735AA54CF90

Function 00822DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00822DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00822DD6
GetCurrentThreadId.KERNEL32 ref: 00822DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00822DE4

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f858f8caeb5752bcbab7b192152ccd47b3756abdb8063a448125556b885a0808
Instruction ID: 477537475445f521050b83ab4d334cc21b933026ce8d26cc5d7fa530c3fdea8a
Opcode Fuzzy Hash: f858f8caeb5752bcbab7b192152ccd47b3756abdb8063a448125556b885a0808
Instruction Fuzzy Hash: F3E0EDB25417387BD7201B72AC0DEEB7EACFB56BA2F400119B506D50909AA99985CAB0

Function 00858863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D9693
Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96A2
Part of subcall function 007D9639: BeginPath.GDI32(?), ref: 007D96B9
Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00858887
LineTo.GDI32(?,?,?), ref: 00858894
EndPath.GDI32(?), ref: 008588A4
StrokePath.GDI32(?), ref: 008588B2

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 95c932b87889642c742b5852a2e0d59e2f37f9db97db3cbd9ab53f0c33376d43
Instruction ID: ed4f286f9a576607ed99eeb52b5f6515cbd4af09861fd418e9a0b2801560340e
Opcode Fuzzy Hash: 95c932b87889642c742b5852a2e0d59e2f37f9db97db3cbd9ab53f0c33376d43
Instruction Fuzzy Hash: 87F03A36045759FADB126F94AC0DFCA3F69BF06312F448001FA11650E1C7795511CFA5

Function 007D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007D98CC
SetTextColor.GDI32(?,?), ref: 007D98D6
SetBkMode.GDI32(?,00000001), ref: 007D98E9
GetStockObject.GDI32(00000005), ref: 007D98F1

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: b2ea3a2d1f04728c0bf0e07ec02e3e165b07bf5013e640b0df696f2988626d6c
Instruction ID: 7e2710584abb0d55fa5ae400ea544202b6c31c0081ea8e9773e00c1863a5a7e3
Opcode Fuzzy Hash: b2ea3a2d1f04728c0bf0e07ec02e3e165b07bf5013e640b0df696f2988626d6c
Instruction Fuzzy Hash: 66E06D31284780AEDB215B78AC09BE83F21FB12376F04821AF7FA980E1C77546809F10

Function 0082162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00821634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008211D9), ref: 0082163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008211D9), ref: 00821648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008211D9), ref: 0082164F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b05583b22f4c9b77825b204d794dc10d236082f3d2d2e4d56931853df6cc2b89
Instruction ID: 307ab00bd70c5e323d683c531c37d37db62ddfe5b4deb5a23c80e6c7f17b0977
Opcode Fuzzy Hash: b05583b22f4c9b77825b204d794dc10d236082f3d2d2e4d56931853df6cc2b89
Instruction Fuzzy Hash: 95E04F71602321AFDB201BA1AD0DB8A3B68FF64B93F144808F245C9080D6284480CB50

Function 0081D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0081D858
GetDC.USER32(00000000), ref: 0081D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0081D882
ReleaseDC.USER32(?), ref: 0081D8A3

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 80321fc4900aec92d92fc004ee658de98730354d8861e62f4ed112d659213ac0
Instruction ID: 2122ce86a743e8bf9fdece4e4af494ba75e061e3ad753030cbb76c33171f4755
Opcode Fuzzy Hash: 80321fc4900aec92d92fc004ee658de98730354d8861e62f4ed112d659213ac0
Instruction Fuzzy Hash: BDE075B5800305DFCB519FA09908A6DBBF5FB58712B14945DE84AE7250D73C5A41AF50

Function 0081D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0081D86C
GetDC.USER32(00000000), ref: 0081D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0081D882
ReleaseDC.USER32(?), ref: 0081D8A3

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 24a41614a879494edfd5c8a54e3b288b047b401cbdc1e083f6d9b6fbdd5aa3c3
Instruction ID: 2bf02e4f3862b3768e6e047bc2f1dda6218a5b5b0eef81d18ef1f5dd985acdc5
Opcode Fuzzy Hash: 24a41614a879494edfd5c8a54e3b288b047b401cbdc1e083f6d9b6fbdd5aa3c3
Instruction Fuzzy Hash: D6E07EB5800304EFCB51AFA09808A6DBBF5BB58712B14944DE94AE7250DB3C5A02AF50

Function 00834D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00834ED4

Strings

*, xrefs: 00834E10
LPT, xrefs: 00834DFB

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 6f268c417cad6ae9293409fc912b587cb31f9daef836aa26d2bff0f7a05cc9aa
Instruction ID: b555e8cce4bbf901e78aaf014cbc8ac07a03759b4e0a8da3e3a5d23bc8641b6e
Opcode Fuzzy Hash: 6f268c417cad6ae9293409fc912b587cb31f9daef836aa26d2bff0f7a05cc9aa
Instruction Fuzzy Hash: 0C912C75A002049FCB14DF58C484EA9BBF1FF85318F19909DE80A9B362DB75ED85CB91

Function 007EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007EE30D

Strings

pow, xrefs: 007EE2E5, 007EE302

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 20578f5d99fdeabebcb6fc66edadaa1caa4a7bc3de4be22c8e628955f87e1117
Instruction ID: a060e99bbe2bcb9fc0b03818c9fdbe75295246ca01e3dd15cb22ce4ef06166b0
Opcode Fuzzy Hash: 20578f5d99fdeabebcb6fc66edadaa1caa4a7bc3de4be22c8e628955f87e1117
Instruction Fuzzy Hash: 7E51AA61A0E64AD6CB197B15CD4537A3BA8FB04740F348DA9E1D1823E9EF3C8C91DA46

Function 007DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 007DE1B1

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3766ca68b92afe40e3abf0f7612e1d7b33cb143748371578a8042b3cd4ba1b3a
Instruction ID: 772344bc0c62f28b86ca473b75b27b020ce0def21ce891dc3f94981b1c906211
Opcode Fuzzy Hash: 3766ca68b92afe40e3abf0f7612e1d7b33cb143748371578a8042b3cd4ba1b3a
Instruction Fuzzy Hash: 2C510575500246DFEB15EF68C485AFA7BB8FF55310F24445AEC51DB2D0D638AD82CB60

Function 007DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 007DF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 007DF2BB

Strings

@, xrefs: 007DF2AF

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: e21d8cd01dc5abeb0c925dd77deb1b232a6c974d3371ad708307f7fc12cf4128
Instruction ID: fe45713c5ce83b088f56652ad8fc277741686fbd8f7ce28d526c79908076813b
Opcode Fuzzy Hash: e21d8cd01dc5abeb0c925dd77deb1b232a6c974d3371ad708307f7fc12cf4128
Instruction Fuzzy Hash: 22513472418B44DBD320AF14DC8ABAFBBF8FB84300F81885DF1D9411A5EB749569CB66

Function 00845745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008457E0
_wcslen.LIBCMT ref: 008457EC

Strings

CALLARGARRAY, xrefs: 008457E6, 008457EB

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: aaf61ea97ab6d5022264358839d94fc96cb68382cbea3c4d7f5df2cfbb225a6a
Instruction ID: 297a8777ea2817bfb68b8d590d36ccaac18637679dd9595992486654a1096234
Opcode Fuzzy Hash: aaf61ea97ab6d5022264358839d94fc96cb68382cbea3c4d7f5df2cfbb225a6a
Instruction Fuzzy Hash: FB418C31A00209DFCB14EFA9C8859AEBBF5FF59724F10406DE505E7292EB349D81CBA0

Function 0083D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0083D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0083D13A

Strings

|, xrefs: 0083D10B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 2548dcee7bf3b4882d8376b47b8b1e490c5cd26b5739b839255dbd3c65e3a459
Instruction ID: 84f4ff75506f875dd1ea11bb9cbd01811996f87c3ad7c900411dfbc86baacfec
Opcode Fuzzy Hash: 2548dcee7bf3b4882d8376b47b8b1e490c5cd26b5739b839255dbd3c65e3a459
Instruction Fuzzy Hash: EB310771D00209EBCF15EFA5DC89EEEBFB9FF48304F000019E815A6162E735AA16CB90

Function 0085356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00853621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0085365C

Strings

static, xrefs: 008535BC

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 98b6539154119e040ebadd94152f0ececc25bf61068198605a18cf1d672aeb68
Instruction ID: 26884efd8344ab539a03b7ea5944164997849e0272dc4ec7ef48d4fc8361d5da
Opcode Fuzzy Hash: 98b6539154119e040ebadd94152f0ececc25bf61068198605a18cf1d672aeb68
Instruction Fuzzy Hash: DE318C71100604AEDB109F28DC80EBB73A9FF98765F10961DF8A5D7290DA34AD85DB60

Function 00854537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0085461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00854634

Strings

', xrefs: 0085458E

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 60a34ef5cc03cd5f44f9f39cd30c5c475384b64a470a45c3c543652b5f6e5cfb
Instruction ID: 8640ab8ef240325ee068772c0b57b8e17c92c57ae515d44e8dc0dc719c1c9e5a
Opcode Fuzzy Hash: 60a34ef5cc03cd5f44f9f39cd30c5c475384b64a470a45c3c543652b5f6e5cfb
Instruction Fuzzy Hash: 76311774A0120AAFDB14CF69C990BDABBB5FB09305F14506AED04EB341E770A985CF90

Function 008531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0085327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00853287

Strings

Combobox, xrefs: 00853249

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3012a9e9997bf34d44aa7a65d7f79c2d5e754ca4ec40bae30a0f4a24cfb4e3cc
Instruction ID: 729a6476a825ee1a17a9968382750055ac57c62786effabe0b7d3114b4c140a9
Opcode Fuzzy Hash: 3012a9e9997bf34d44aa7a65d7f79c2d5e754ca4ec40bae30a0f4a24cfb4e3cc
Instruction Fuzzy Hash: A811B271304608BFEF219E54DC84EBB376BFB943A6F104129F918E7290D6359D558760

Function 00853710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 007C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007C604C
Part of subcall function 007C600E: GetStockObject.GDI32(00000011), ref: 007C6060
Part of subcall function 007C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007C606A

GetWindowRect.USER32(00000000,?), ref: 0085377A
GetSysColor.USER32(00000012), ref: 00853794

Strings

static, xrefs: 00853757

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 83a36eddb9aac5877f76159b075679f79b69bd36b248a4a0f3f9ed343fde70b8
Instruction ID: 12d96dc54db6a9f0dc585e2ff54b6851160c6bc5635c5782badf5c66614fc2eb
Opcode Fuzzy Hash: 83a36eddb9aac5877f76159b075679f79b69bd36b248a4a0f3f9ed343fde70b8
Instruction Fuzzy Hash: 111129B2A10209AFDF00DFA8CC45EFA7BB8FB08355F004529FD55E2250E735E9559B50

Function 0083CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0083CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0083CDA6

Strings

<local>, xrefs: 0083CD66

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: aa9b9971f1ad64919247c7d658229d5488b80ed0e015264fe50d49e4817c9565
Instruction ID: 147cb812547f45733ec3c67fbb91f46c71496bd83cbc33cecd65152e3f14633e
Opcode Fuzzy Hash: aa9b9971f1ad64919247c7d658229d5488b80ed0e015264fe50d49e4817c9565
Instruction Fuzzy Hash: 6411C275205635BED7385B668C49EE7BEADFF927A8F00422AB109E3180D7749840D7F0

Function 00853429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008534BA

Strings

edit, xrefs: 0085348F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1177f9945a4cb55f82c0977bad86ff1692f563bea0903a007d0a83fd338b8416
Instruction ID: a8ec8437b6e24e2803c080bce1997bd73bfc4e16f49eeb51c66cc9d73698b3c1
Opcode Fuzzy Hash: 1177f9945a4cb55f82c0977bad86ff1692f563bea0903a007d0a83fd338b8416
Instruction Fuzzy Hash: D2119D71100208AFEF114E64DC44AAB376AFB243B9F504724FD61D31D0C735DD999B58

Function 00826C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00826CB6
_wcslen.LIBCMT ref: 00826CC2

Strings

STOP, xrefs: 00826CBC, 00826CC1

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 28154cd1b5286c737f77dfaa9c4be0c59f21b556422da26853d58de520102d51
Instruction ID: 443125ecc5327234e48ad606cc77d49bde52ab192c8e15886d4a116dc820cd51
Opcode Fuzzy Hash: 28154cd1b5286c737f77dfaa9c4be0c59f21b556422da26853d58de520102d51
Instruction Fuzzy Hash: 89010032A0053A8BCB20AFFDEC849BF73E4FB607147400528E862D3190FA36D9A0C650

Function 00821CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00821D4C

Strings

ListBox, xrefs: 00821D16
ComboBox, xrefs: 00821CEB

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 100dbd80fbc4913b815d65fbd1b9b290330e4ee4bf970da55b10658c480be1ee
Instruction ID: acbd12aa05ac1d6b35c5df17118d523f500d00ab5a457c7ebcc161206cafeddd
Opcode Fuzzy Hash: 100dbd80fbc4913b815d65fbd1b9b290330e4ee4bf970da55b10658c480be1ee
Instruction Fuzzy Hash: C401B575601228EBCF54EBA4EC59DFE77A8FB66350B14051DF832A73C1EA3459488760

Function 00821BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00821C46

Strings

ListBox, xrefs: 00821C10
ComboBox, xrefs: 00821BE5

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3b23e55ac1a258a762b6d5ff5a2c87e93ea00e4c83366fca41164bbb70a75620
Instruction ID: 8d97e4c39c49792fa1dd8f984982b21953e40f0fd0ef146881a3764089269cff
Opcode Fuzzy Hash: 3b23e55ac1a258a762b6d5ff5a2c87e93ea00e4c83366fca41164bbb70a75620
Instruction Fuzzy Hash: C901AC75641118A6CF14FBA0D959EFF77E8FB31340F14001DA916B7281EA289F5887B1

Function 00821C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00821CC8

Strings

ListBox, xrefs: 00821C94
ComboBox, xrefs: 00821C69

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e56de663e58908d826b2a4348fdd09c4eff9af019b015ed9ffef7bf378a48f5d
Instruction ID: 3d63aa1b108c68fc5c3ab7ae6744be395a5c79e39fa0caf8a81952c70bf8f9bc
Opcode Fuzzy Hash: e56de663e58908d826b2a4348fdd09c4eff9af019b015ed9ffef7bf378a48f5d
Instruction Fuzzy Hash: 06016775641128A6CF14FBA4DA19EFE77E8FB21340B64001DB911F3281EA699F588771

Function 00821D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00821DD3

Strings

ListBox, xrefs: 00821DA0
ComboBox, xrefs: 00821D75

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ac78c4ed3a72bc5d6bca78163ecfdc427f2132b8e38ce991d73635b5f094c1fd
Instruction ID: 81427a738c3ba6807cdc060526caf9724a207275aa64f6bb0403208bd5bfeed5
Opcode Fuzzy Hash: ac78c4ed3a72bc5d6bca78163ecfdc427f2132b8e38ce991d73635b5f094c1fd
Instruction Fuzzy Hash: 16F0F971A40228A6CB14F7A4DC59FFE77A8FB11350F14091DB932E32C1DB6859088360

Function 0084747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00847493
_wcslen.LIBCMT ref: 008474B9

Strings

3, 3, 16, 1, xrefs: 00847483

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 9e6789c4df23bd860134a427fa3d340e76f753d04e6cb31080daee3226bda644
Instruction ID: 00d55c2b66d4230e393962a9223cce3db8ef2cc7c8245b6b70377638fbc87928
Opcode Fuzzy Hash: 9e6789c4df23bd860134a427fa3d340e76f753d04e6cb31080daee3226bda644
Instruction Fuzzy Hash: A4E02B42205260609231227A9CC597F5789EFDD750710182BF981D2267EB98DD9193F5

Function 00820B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00820B23

Strings

AutoIt, xrefs: 00820B17
Error allocating memory., xrefs: 00820B1C

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: bf9baa289fcff649da7550b45e91f78fed72c6e7c0835d1610731b2299d61a10
Instruction ID: 3d2f66299078dc686590fc344f3244d226fdff7accff9dbf809e6420f4cbc081
Opcode Fuzzy Hash: bf9baa289fcff649da7550b45e91f78fed72c6e7c0835d1610731b2299d61a10
Instruction Fuzzy Hash: 88E0D8312443186ED21036957C0BF897F94EF09F61F10046BFB98D56C38AE928904AE9

Function 007E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,007E0D71,?,?,?,007C100A), ref: 007DF7CE

IsDebuggerPresent.KERNEL32(?,?,?,007C100A), ref: 007E0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007C100A), ref: 007E0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 007E0D7F

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: d3d6c6765fef715615ceb604ffbbb37a16fc3c0d2da8640bf1458557b328ecae
Instruction ID: 0036ca8fd212bd09689b395a5af908993533146ef0fbad24d1cfbb0848676cb9
Opcode Fuzzy Hash: d3d6c6765fef715615ceb604ffbbb37a16fc3c0d2da8640bf1458557b328ecae
Instruction Fuzzy Hash: 40E039742003418BD320AFA9D8487467BE0BB04756F00492DE882CA652DBF8E4888BE1

Function 00833017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0083302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00833044

Strings

aut, xrefs: 00833038

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b65a86947dcca7bd0ad053875919d661ff12d1bde9fc5c50fa58fdf04fef556d
Instruction ID: 98e58a1145cb6b1606809b517cf45f24df94bf0d7320a8b3f47ecbb33bf51f69
Opcode Fuzzy Hash: b65a86947dcca7bd0ad053875919d661ff12d1bde9fc5c50fa58fdf04fef556d
Instruction Fuzzy Hash: C9D05E765003286BDA30A7A4AC4EFCB3B6CEB04751F0002A1B655E2091EAB89984CFD0

Function 0081D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0081D220

Strings

X64, xrefs: 0081D2A8
%.3d, xrefs: 0081D22B

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: e625a9d04a2b230b19980cd4d3c6d7d92aa5014bf608326178f50f6855b0e3b6
Instruction ID: d63547bdff0160e4fe89bb17e897f72241467a58c9e3b795673c680c6f15385e
Opcode Fuzzy Hash: e625a9d04a2b230b19980cd4d3c6d7d92aa5014bf608326178f50f6855b0e3b6
Instruction Fuzzy Hash: B9D012A180831CE9CB5096E0CC49AF9B37CFF19305F608453F826D1140D63CE9886B61

Function 00852322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0085232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0085233F

Part of subcall function 0082E97B: Sleep.KERNEL32 ref: 0082E9F3

Strings

Shell_TrayWnd, xrefs: 00852325

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 685b92d40226fb0dbd32b15cfd7944dc2815ef9903bc58227c504fe8f131d39d
Instruction ID: 130bd091dcdfb62f1cc70c64e59a1e4b116a5e3fdbbd94a29f60472ba0349ff3
Opcode Fuzzy Hash: 685b92d40226fb0dbd32b15cfd7944dc2815ef9903bc58227c504fe8f131d39d
Instruction Fuzzy Hash: FCD0A932380310BAE2A4B770AC1FFC66A04BB00B01F004A067205EA1D0D8A8A8418A44

Function 00852356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0085236C
PostMessageW.USER32(00000000), ref: 00852373

Part of subcall function 0082E97B: Sleep.KERNEL32 ref: 0082E9F3

Strings

Shell_TrayWnd, xrefs: 00852365

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 277f9fd82da595071ca0769d738333ac62bb1d3060e880f40fcc39aed8d202e5
Instruction ID: 22ea5ccbd88cc356f63a1a5a9610c0acc21afb50a5c48046be8a367c77a4febf
Opcode Fuzzy Hash: 277f9fd82da595071ca0769d738333ac62bb1d3060e880f40fcc39aed8d202e5
Instruction Fuzzy Hash: 2BD0A9323803107AE2A4B770AC0FFC66A04BB00B01F004A067201EA1D0D8A8A8418A48

Function 007FBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 007FBE93
GetLastError.KERNEL32 ref: 007FBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007FBEFC

Memory Dump Source

Source File: 00000000.00000002.1732386007.00000000007C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1732354160.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.000000000085C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732464398.0000000000882000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732549080.000000000088C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1732583094.0000000000894000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 77e2208cd9a11b475014227fe4451e8599156747b0457ec6b3201ec7815b9f3c
Instruction ID: e5c26a6c2c74baa128d4fef73abc30e204b5a3684a30d56416a15e0b6e9984eb
Opcode Fuzzy Hash: 77e2208cd9a11b475014227fe4451e8599156747b0457ec6b3201ec7815b9f3c
Instruction Fuzzy Hash: E241F53560120AEFCF218FA5CC84ABA7BE5EF45320F144169FA59973A1DB388D00DB61

Analysis Process: firefox.exePID: 7820, Parent PID: 7940COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00000193A5A22377 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00000193A5A2239C

Memory Dump Source

Source File: 00000010.00000002.3532673996.00000193A5A20000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000193A5A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_193a5a20000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: 907ecd704153f082c0aa6d8d6678b77f4956c6a099d441f911e75a5afa36edf1
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: 5EA3B531714A498BDB2EDF28DC966ED77E5FB55300F04422ED98BC7291DF30EA528A81

Function 00000193A5A2BDC0 Relevance: .1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.3532673996.00000193A5A2B000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000193A5A2B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_193a5a2b000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e825b1f4ad5c484f7c15f30515268f25d2993c8333ec0a5a01b35fadfc96b52b
Instruction ID: dfdd216b304df7bc916ac950fe353220e939782e07e76e2b752d813053ba5353
Opcode Fuzzy Hash: e825b1f4ad5c484f7c15f30515268f25d2993c8333ec0a5a01b35fadfc96b52b
Instruction Fuzzy Hash: 2D21A23160DB8C4FD746EF28C855B96BBE0FB5A310F1506AFE099C32A2DB34D9458782

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1776020241.000002CA3E5A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1862624781.000002CA48749000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845973634.000002CA4840B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846925069.000002CA44C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1862624781.000002CA48749000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845973634.000002CA4840B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846925069.000002CA44C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1908820744.000002CA480F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922495205.000002CA3E6F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863631921.000002CA480F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1927837489.000002CA4055E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911515336.000002CA4055E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1927837489.000002CA4055E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911515336.000002CA4055E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1862624781.000002CA48749000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845973634.000002CA4840B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846925069.000002CA44C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1862624781.000002CA48749000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1845973634.000002CA4840B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1846925069.000002CA44C8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1848803739.000002CA4057A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911186954.000002CA4057A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754116295.000002CA40593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1848803739.000002CA4057A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911186954.000002CA4057A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754116295.000002CA40593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1848803739.000002CA4057A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911186954.000002CA4057A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754116295.000002CA40593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1908820744.000002CA480F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922495205.000002CA3E6F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1863631921.000002CA480F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1895173201.000002CA481AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1908820744.000002CA480E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922495205.000002CA3E6F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1756189447.000002CA3E6F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49794 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_e2e6f87c-8106-4e54-89f8-914cd0653fbb.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_e2e6f87c-8106-4e54-89f8-914cd0653fbb.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BL8R07ZCWCRZBXTB55X5.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SFF5UO3UKOK0M4S8WU53.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre