Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561852
MD5:	76f39bc0a5718af31e2c979ee0da0837
SHA1:	1ee9012e6af8e840de04056e864f0e04a8410d29
SHA256:	ead531012a862454556b9efaa303298922ea6b27ae8865827dcacfa586b4c590
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6248 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 76F39BC0A5718AF31E2C979EE0DA0837)

taskkill.exe (PID: 6224 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3060 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2828 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6876 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6300 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6516 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1516 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3084 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7160 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d4c19da-07e9-4e1a-9ce2-f4e466361ce6} 3084 "\\.\pipe\gecko-crash-server-pipe.3084" 1f18e16ef10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7500 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 3880 -prefMapHandle 2888 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5f226f1-1a1c-41d2-bbb4-bf72ea27501c} 3084 "\\.\pipe\gecko-crash-server-pipe.3084" 1f18e182a10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7172 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2612 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dce7259-bfc2-44f9-b9ca-cb65ac3e711e} 3084 "\\.\pipe\gecko-crash-server-pipe.3084" 1f1a07c7510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1735321055.0000000001060000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 6248	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0079EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0079EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0079ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0079ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0079EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0078AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007B9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_007B9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1672175141.00000000007E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_906d6493-f
Source: file.exe, 00000000.00000000.1672175141.00000000007E2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b07b752f-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6f82fe52-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d9983930-e

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000271411F7777 NtQuerySystemInformation,		16_2_00000271411F7777
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000027141982AF2 NtQuerySystemInformation,		16_2_0000027141982AF2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0078D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00781201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00781201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0078E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00728060	0_2_00728060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00792046	0_2_00792046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00788298	0_2_00788298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075E4FF	0_2_0075E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0075676B	0_2_0075676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B4873	0_2_007B4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072CAF0	0_2_0072CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0074CAA0	0_2_0074CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073CC39	0_2_0073CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00756DD9	0_2_00756DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073B119	0_2_0073B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007291C0	0_2_007291C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741394	0_2_00741394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741706	0_2_00741706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0074781B	0_2_0074781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073997D	0_2_0073997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00727920	0_2_00727920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007419B0	0_2_007419B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00747A4A	0_2_00747A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741C77	0_2_00741C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00747CA7	0_2_00747CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007ABE44	0_2_007ABE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00759EEE	0_2_00759EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741F32	0_2_00741F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_00000271411F7777	16_2_00000271411F7777
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000027141982AF2	16_2_0000027141982AF2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002714198321C	16_2_000002714198321C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_0000027141982B32	16_2_0000027141982B32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0073F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00740A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/41@70/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007937B5 GetLastError,FormatMessageW,

0_2_007937B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007810BF AdjustTokenPrivileges,CloseHandle,		0_2_007810BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007816C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007951CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0078D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0079648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0079648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007242A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1878654120.000001F1A90C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894310454.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878340502.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1894310454.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878340502.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1894310454.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878340502.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1894310454.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878340502.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1844901320.000001F1A9FF6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1894310454.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878340502.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1894310454.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878340502.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1894310454.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878340502.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1894310454.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878340502.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1894310454.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878340502.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d4c19da-07e9-4e1a-9ce2-f4e466361ce6} 3084 "\\.\pipe\gecko-crash-server-pipe.3084" 1f18e16ef10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 3880 -prefMapHandle 2888 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5f226f1-1a1c-41d2-bbb4-bf72ea27501c} 3084 "\\.\pipe\gecko-crash-server-pipe.3084" 1f18e182a10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2612 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dce7259-bfc2-44f9-b9ca-cb65ac3e711e} 3084 "\\.\pipe\gecko-crash-server-pipe.3084" 1f1a07c7510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d4c19da-07e9-4e1a-9ce2-f4e466361ce6} 3084 "\\.\pipe\gecko-crash-server-pipe.3084" 1f18e16ef10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 3880 -prefMapHandle 2888 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5f226f1-1a1c-41d2-bbb4-bf72ea27501c} 3084 "\\.\pipe\gecko-crash-server-pipe.3084" 1f18e182a10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2612 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dce7259-bfc2-44f9-b9ca-cb65ac3e711e} 3084 "\\.\pipe\gecko-crash-server-pipe.3084" 1f1a07c7510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1855983812.000001F19B8B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1855983812.000001F19B8B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1851655121.000001F19B8AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1851655121.000001F19B8AB000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007242DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00740A76 push ecx; ret

0_2_00740A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0073F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_007B1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95857

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_00000271411F7777 rdtsc

16_2_00000271411F7777

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0078DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007968EE FindFirstFileW,FindClose,	0_2_007968EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0079698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0078D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0078D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0078D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00799642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00799642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0079979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0079979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00799B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00799B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00795C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00795C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007242DE

Source: firefox.exe, 00000011.00000002.3531699960.000002A2F5C8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp+
Source: firefox.exe, 0000000F.00000002.3532525245.000001F019BBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: firefox.exe, 0000000F.00000002.3538342422.000001F01A108000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3532525245.000001F019BBA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3537647678.0000027141870000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3532566090.000002714113A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3536531233.000002A2F6000000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3537738987.000001F01A015000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000000F.00000002.3538342422.000001F01A108000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW=
Source: firefox.exe, 0000000F.00000002.3538342422.000001F01A108000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3537647678.0000027141870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_00000271411F7777 rdtsc

16_2_00000271411F7777

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0079EAA2 BlockInput,

0_2_0079EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00752622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00752622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007242DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00744CE8 mov eax, dword ptr fs:[00000030h]

0_2_00744CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00780B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00780B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00752622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00752622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0074083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0074083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007409D5 SetUnhandledExceptionFilter,	0_2_007409D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00740C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00740C21

Source: C:\Users\user\Desktop\file.exe

0_2_00781201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00762BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00762BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0078B226 SendInput,keybd_event,

0_2_0078B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007A22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007A22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00780B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00781663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00781663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1798614066.000001F1AA401000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00740698 cpuid

0_2_00740698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00798195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00798195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0077D27A GetUserNameW,

0_2_0077D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0075BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0075BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007242DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1735321055.0000000001060000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6248, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1735321055.0000000001060000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6248, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_007A1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007A1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_007A1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	29%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.195.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.1.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.142	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
dualstack.reddit.map.fastly.net	151.101.1.140	true	false	high
youtube-ui.l.google.com	172.217.19.238	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4	firefox.exe, 0000000D.00000003.1893340054.000001F1AABD5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1893340054.000001F1AABD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907198445.000001F1A607E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3534226431.00000271413C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3532448098.000002A2F5DC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1914571389.000001F19FCF7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1789372936.000001F1A6826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1917016406.000001F1A96C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789867930.000001F1A6830000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910601547.000001F1A96BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788890710.000001F1A6824000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3534541452.000001F019FBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3534226431.00000271413F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3537134848.000002A2F6203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.3534226431.0000027141385000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3532448098.000002A2F5D8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1914571389.000001F19FCF7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1915828847.000001F19F628000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1880745716.000001F1A62D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1721911424.000001F19DE77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1720096157.000001F19DE3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1719636860.000001F19DE1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1718698219.000001F19DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1720681028.000001F19DE5A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1905942117.000001F1A0060000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1894310454.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878340502.000001F1A9C9C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1764047907.000001F1A60CD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1721911424.000001F19DE77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1720096157.000001F19DE3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1719636860.000001F19DE1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1856242194.000001F1A5F20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1718698219.000001F19DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905942117.000001F1A003D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1720681028.000001F19DE5A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000D.00000003.1884805913.000001F1A0BD6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/0	firefox.exe, 0000000D.00000003.1897950011.000007A8E9904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1897858611.000003A2DA903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898039726.0000111244503000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1721911424.000001F19DE77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1720096157.000001F19DE3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1719636860.000001F19DE1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1718698219.000001F19DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1720681028.000001F19DE5A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000D.00000003.1882021572.000001F1A14A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1914943284.000001F19FC94000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1914571389.000001F19FCF7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3534541452.000001F019FBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3534226431.00000271413F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3537134848.000002A2F6203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1878474123.000001F1A9C1A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1881198944.000001F1A6270000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898039726.0000111244503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915828847.000001F19F628000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2	firefox.exe, 0000000D.00000003.1890148234.000001F1A07DC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1904139736.000001F1AA042000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3534541452.000001F019FBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3534226431.00000271413F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3537134848.000002A2F6203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1881198944.000001F1A6270000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898039726.0000111244503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915828847.000001F19F628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3534226431.000002714130A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3532448098.000002A2F5D0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1789372936.000001F1A6826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1790217393.000001F1A681A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789923654.000001F1A6807000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788890710.000001F1A6824000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1915828847.000001F19F628000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1878474123.000001F1A9C1A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1881198944.000001F1A6270000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907198445.000001F1A607E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3534226431.00000271413C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3532448098.000002A2F5DC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1881715946.000001F1A1EBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1789963750.000001F1A63BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788890710.000001F1A680B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789923654.000001F1A6807000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1861923675.000001F19FFC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1899532228.000001F1A99E8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://amazon.com	firefox.exe, 0000000D.00000003.1893340054.000001F1AABD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898039726.0000111244503000.00000004.00000800.00020000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1890148234.000001F1A07B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918115957.000001F1A07B9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1910798435.000001F1A968D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1876765162.000001F1AA03D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1880745716.000001F1A62D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907198445.000001F1A607E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3534226431.0000027141312000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3532448098.000002A2F5D13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1915828847.000001F19F628000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1894400931.000001F1A9944000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1764047907.000001F1A60CD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1788890710.000001F1A680B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789923654.000001F1A6807000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListenerUseOfReleaseEventsWarningUse	firefox.exe, 0000000D.00000003.1904139736.000001F1AA042000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1844132610.000001F19FF8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1787675250.000001F1A68F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861923675.000001F19FFD4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1765891553.000001F1A61E4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844132610.000001F19FF23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1851229748.000001F1A68F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849140837.000001F19E1FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1861923675.000001F19FFC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1765573194.000001F1A61F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907198445.000001F1A6099000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849140837.000001F19E1F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1726770683.000001F19DE68000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1857474609.000001F1A61C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1733256760.000001F19E1CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1902975169.000001F1A0533000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1902849690.000001F19FFBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789132248.000001F1A63E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1865318121.000001F1A18C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1764047907.000001F1A60D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899910957.000001F1A148E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1767364506.000001F1A61F7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1884805913.000001F1A0BD6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1884805913.000001F1A0BAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1884805913.000001F1A0BD6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	high
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1910993689.000001F1A03F4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1895740969.000001F1A1526000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1895740969.000001F1A1526000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1915014540.000001F19F647000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1727149179.000001F19DA33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727689434.000001F19DA1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727944025.000001F19DA33000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1788890710.000001F1A680B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789923654.000001F1A6807000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1905900905.000001F1A008E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1901630487.000001F1A008E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914213627.000001F1A0095000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1899910957.000001F1A148E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1882021572.000001F1A148E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907453558.000001F1A148E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1789372936.000001F1A6826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1790217393.000001F1A681A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788890710.000001F1A680B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789923654.000001F1A6807000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788890710.000001F1A6824000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1727149179.000001F19DA33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727689434.000001F19DA1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727944025.000001F19DA33000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1878474123.000001F1A9C1A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3534541452.000001F019FBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3534226431.00000271413F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3537134848.000002A2F6203000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1880745716.000001F1A62D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1915828847.000001F19F628000.00000004.00000800.00020000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1840945043.000001F1AABF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1844901320.000001F1A9F46000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3534106972.000001F019D90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3532884336.0000027141170000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3536236525.000002A2F5E80000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1720681028.000001F19DE5A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/D	firefox.exe, 0000000D.00000003.1898039726.0000111244503000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
142.250.181.142	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561852
Start date and time:	2024-11-24 13:46:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/41@70/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 39 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.27.142.243, 52.32.237.164, 34.209.229.249, 172.217.17.78, 88.221.134.155, 88.221.134.209, 172.217.17.74, 172.217.17.42
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	lw2HMxuVuf.exe	Get hash	malicious	Unknown	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	zapret.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	file.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	185.199.110.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.116.198.130
	lw2HMxuVuf.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	mDHwap5GlV.exe	Get hash	malicious	LummaC Stealer	Browse	34.117.59.81
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	lw2HMxuVuf.exe	Get hash	malicious	Unknown	Browse	34.160.176.28
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	zgp.elf	Get hash	malicious	Mirai	Browse	56.101.120.102
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_df742fd1-5d4b-461c-a35d-f7640dc3f772.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.180815074479779
Encrypted:	false
SSDEEP:	192:qjMXiMXcbhbVbTbfbRbObtbyEl7nHryJA6WnSrDtTUd/SkDr0:qYHcNhnzFSJnrhBnSrDhUd/e
MD5:	1813A807CC6FBB9D3EAD8F3182010196
SHA1:	DF397FEB9B88A30811D8F4788ADE7F657A877A8A
SHA-256:	5F888272B068B37CD6DACC6409716E7CC85D29E4A76E87163943C4CB0156DD37
SHA-512:	E6357332A12D5B3C6522FC4563DB9D59B899D7188A3D091B1BAECB9F7EA1C7E36748A3EEA860DC9D2F2AC134DAD9BE73F7885B9B3A2280B52A44DEB2C7FC4C87
Malicious:	false
Preview:	{"type":"uninstall","id":"df742fd1-5d4b-461c-a35d-f7640dc3f772","creationDate":"2024-11-24T14:19:29.525Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_df742fd1-5d4b-461c-a35d-f7640dc3f772.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.180815074479779
Encrypted:	false
SSDEEP:	192:qjMXiMXcbhbVbTbfbRbObtbyEl7nHryJA6WnSrDtTUd/SkDr0:qYHcNhnzFSJnrhBnSrDhUd/e
MD5:	1813A807CC6FBB9D3EAD8F3182010196
SHA1:	DF397FEB9B88A30811D8F4788ADE7F657A877A8A
SHA-256:	5F888272B068B37CD6DACC6409716E7CC85D29E4A76E87163943C4CB0156DD37
SHA-512:	E6357332A12D5B3C6522FC4563DB9D59B899D7188A3D091B1BAECB9F7EA1C7E36748A3EEA860DC9D2F2AC134DAD9BE73F7885B9B3A2280B52A44DEB2C7FC4C87
Malicious:	false
Preview:	{"type":"uninstall","id":"df742fd1-5d4b-461c-a35d-f7640dc3f772","creationDate":"2024-11-24T14:19:29.525Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\18CX51L3HYLNCBJ0DXHU.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.2984063346752417
Encrypted:	false
SSDEEP:	24:vdfuiAzTIUx2dWoM15dpLLN8zmSdfuiAzswM+bpoqdWoM15dpLLFX1RgmQdfuiAt:vdKQUgdwzwzxdK06BdwzIndK0adwzq1
MD5:	EE621A88325152DEAD20D3ECA8F848F6
SHA1:	878B803F0F163DA737F96F3DF7D2DC5784F9D921
SHA-256:	4AFFE48854DCA30D8ACB5FDCE47FA29A2D5019B7949EA389518262BF7C71774D
SHA-512:	69CDEC44F14CF2A1A9D27CB1E2705F887CAF0861D0DB74BFC9B7AFB2D6DDDBDF6B0B3F49F1E10C17DC86FFC4AC67B408AE11B9210C7B2E3260C88FAA0712F9FF
Malicious:	false
Preview:	...................................FL..................F.@.. ...p...........o>..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IxY.e....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WxY.e............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WxY.e..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............%dU.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.2984063346752417
Encrypted:	false
SSDEEP:	24:vdfuiAzTIUx2dWoM15dpLLN8zmSdfuiAzswM+bpoqdWoM15dpLLFX1RgmQdfuiAt:vdKQUgdwzwzxdK06BdwzIndK0adwzq1
MD5:	EE621A88325152DEAD20D3ECA8F848F6
SHA1:	878B803F0F163DA737F96F3DF7D2DC5784F9D921
SHA-256:	4AFFE48854DCA30D8ACB5FDCE47FA29A2D5019B7949EA389518262BF7C71774D
SHA-512:	69CDEC44F14CF2A1A9D27CB1E2705F887CAF0861D0DB74BFC9B7AFB2D6DDDBDF6B0B3F49F1E10C17DC86FFC4AC67B408AE11B9210C7B2E3260C88FAA0712F9FF
Malicious:	false
Preview:	...................................FL..................F.@.. ...p...........o>..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IxY.e....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WxY.e............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WxY.e..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............%dU.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.2984063346752417
Encrypted:	false
SSDEEP:	24:vdfuiAzTIUx2dWoM15dpLLN8zmSdfuiAzswM+bpoqdWoM15dpLLFX1RgmQdfuiAt:vdKQUgdwzwzxdK06BdwzIndK0adwzq1
MD5:	EE621A88325152DEAD20D3ECA8F848F6
SHA1:	878B803F0F163DA737F96F3DF7D2DC5784F9D921
SHA-256:	4AFFE48854DCA30D8ACB5FDCE47FA29A2D5019B7949EA389518262BF7C71774D
SHA-512:	69CDEC44F14CF2A1A9D27CB1E2705F887CAF0861D0DB74BFC9B7AFB2D6DDDBDF6B0B3F49F1E10C17DC86FFC4AC67B408AE11B9210C7B2E3260C88FAA0712F9FF
Malicious:	false
Preview:	...................................FL..................F.@.. ...p...........o>..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IxY.e....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WxY.e............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WxY.e..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............%dU.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\73UER8CAKXBLFX5X1DQF.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.2984063346752417
Encrypted:	false
SSDEEP:	24:vdfuiAzTIUx2dWoM15dpLLN8zmSdfuiAzswM+bpoqdWoM15dpLLFX1RgmQdfuiAt:vdKQUgdwzwzxdK06BdwzIndK0adwzq1
MD5:	EE621A88325152DEAD20D3ECA8F848F6
SHA1:	878B803F0F163DA737F96F3DF7D2DC5784F9D921
SHA-256:	4AFFE48854DCA30D8ACB5FDCE47FA29A2D5019B7949EA389518262BF7C71774D
SHA-512:	69CDEC44F14CF2A1A9D27CB1E2705F887CAF0861D0DB74BFC9B7AFB2D6DDDBDF6B0B3F49F1E10C17DC86FFC4AC67B408AE11B9210C7B2E3260C88FAA0712F9FF
Malicious:	false
Preview:	...................................FL..................F.@.. ...p...........o>..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IxY.e....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WxY.e............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WxY.e..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............%dU.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925050697263287
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL1l88P:8S+OBIUjOdwiOdYVjjwL1l88P
MD5:	A79CF4CAFAED58CA6A1D0CBCFE76B175
SHA1:	BADB0AE914ADC7B753CD6D2F2E4665215EF8D8F6
SHA-256:	F787CE2876DD6C9CAE814CD1BF32BDD14B1FFD10E2B39C101864A6733B6BBCDF
SHA-512:	33D1F93A2E3C4E009E7BD21C86BD7E955AB2BE5BC18CE9342C826BA841E6B5393A96A12543155798021A37E40F4DDCE08FEB8DF11E7821D6C03788218C8A3E2E
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.925050697263287
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNL1l88P:8S+OBIUjOdwiOdYVjjwL1l88P
MD5:	A79CF4CAFAED58CA6A1D0CBCFE76B175
SHA1:	BADB0AE914ADC7B753CD6D2F2E4665215EF8D8F6
SHA-256:	F787CE2876DD6C9CAE814CD1BF32BDD14B1FFD10E2B39C101864A6733B6BBCDF
SHA-512:	33D1F93A2E3C4E009E7BD21C86BD7E955AB2BE5BC18CE9342C826BA841E6B5393A96A12543155798021A37E40F4DDCE08FEB8DF11E7821D6C03788218C8A3E2E
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07331989049242436
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkih0K:DLhesh7Owd4+jih0K
MD5:	C38DE2772458B7510F3F7569B5E3125E
SHA1:	47387B2B5419CF2A5FE7F75CD0A263934010E568
SHA-256:	680292C1500E14EFDE4F32F8E0CE7F1B73A13C0643D9DC326EF93F0472FDCBB3
SHA-512:	F40C0462167A31EC4E118E0830BAABCE498313C187660AD8345E62DCD346648970911EF2F29459D79C108F56D55A12D5A4B0410BD5D15989BD9870BDC75922A0
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.038809065359681434
Encrypted:	false
SSDEEP:	3:GHlhV3ICJxsKe4/HlhV3ICJxsKGSl8a9//Ylll4llqlyllel4lt:G7VYC7ss/7VYC7sSL9XIwlio
MD5:	1E3B3050D8F6F9676126A422E0B45619
SHA1:	800DCE423721BA57D8B4CFEAB3E2BA3684F230D0
SHA-256:	E300E0D53B80EFF393F1644EF82EE413B75023060A03E126363EDA084C03CC40
SHA-512:	6D9325E12BCF4E0A8AE3465FCFD0AE03DD5767D7F9A45C9EDB1180BCFB11D194A0BE0F47E504647F71B8AEC6D6DBF3D3BCA85E0719D30B9FBED614D4357CA217
Malicious:	false
Preview:	..-.......................T5...6.....`5..?d....0..-.......................T5...6.....`5..?d....0........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11788722849630731
Encrypted:	false
SSDEEP:	24:KcMfk0LxsZ+2jxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsaxzwlRVZ2i7+:tMMgQ1JtUnWdU+RVxEBZk
MD5:	6A05651B3AFE631AD5E0EA37D0A67F35
SHA1:	A12BF7C6BB68FF4D4B4777AF1759D4253B516AF9
SHA-256:	0A00777E9A80617D1003848C9FC2ACA50B749C5DFB1F94BB0BEFD6EFF73B15FC
SHA-512:	65972335BE94A7A1B63F722B186C11845BE4683830C8B6E31252F303CD30DA5351BEE15FE2DC15ADCA1833F15181F4E7042440B48C05C30246A05B26718335D5
Malicious:	false
Preview:	7....-...............`5..\|..'.1b.............`5.t.)....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495239834455727
Encrypted:	false
SSDEEP:	192:pnaRtLYbBp6Ghj4qyaaXP6KmGNzn5RfGNBw8dWSl:UeEq9FCfcwh0
MD5:	6E2CA343CE0C71AC6D5DB25AF9307962
SHA1:	3945B12A7918CFC19F2553C7572AB77C4194C65A
SHA-256:	89B3061E2FBE48D572BDBA4174754A25E2871EC5F5966F6A996E02C8502EB581
SHA-512:	95CA4FFCF04B0A0D13233774E37D7BBF3FD8DD73FD37FCDACB19ED145866E18B3AB16BED071140F2C354A2EEDDE5FD2603D3836F3094025291D3BB94EA4A9705
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732457939);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732457939);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732457939);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173245

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.495239834455727
Encrypted:	false
SSDEEP:	192:pnaRtLYbBp6Ghj4qyaaXP6KmGNzn5RfGNBw8dWSl:UeEq9FCfcwh0
MD5:	6E2CA343CE0C71AC6D5DB25AF9307962
SHA1:	3945B12A7918CFC19F2553C7572AB77C4194C65A
SHA-256:	89B3061E2FBE48D572BDBA4174754A25E2871EC5F5966F6A996E02C8502EB581
SHA-512:	95CA4FFCF04B0A0D13233774E37D7BBF3FD8DD73FD37FCDACB19ED145866E18B3AB16BED071140F2C354A2EEDDE5FD2603D3836F3094025291D3BB94EA4A9705
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732457939);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732457939);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732457939);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173245

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1606
Entropy (8bit):	6.356450415719222
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSm3LXnIgMw/pnxQwRls6ZspHsRGH3j6xiMctdL/5QH2oXpMurD/I0DO:cpOxHlnRTZYjGxHc5kpMgwcR4
MD5:	4266D2BC482DDE1A5F4365CC2291F3D7
SHA1:	3535243A7A3D2D8279C6625D263E43B18D5337DC
SHA-256:	91F46C4A7F4E3CD6EEAF5683363D77F628BEE6D1A88772201494B9D9F0F84E8F
SHA-512:	7E4559EFB86DAFA4173226027C161C99502595C6C1469E4C0DB14A7C766351E06329B07344AFE1DDD42EACB770E28B730E1B6A89EAE8117599B31773E223BDB1
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{e09f9e21-e068-4b9b-8dfc-8a424beb8b9c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732457944233,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate.....wtartTim..P09004...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...16141,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1606
Entropy (8bit):	6.356450415719222
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSm3LXnIgMw/pnxQwRls6ZspHsRGH3j6xiMctdL/5QH2oXpMurD/I0DO:cpOxHlnRTZYjGxHc5kpMgwcR4
MD5:	4266D2BC482DDE1A5F4365CC2291F3D7
SHA1:	3535243A7A3D2D8279C6625D263E43B18D5337DC
SHA-256:	91F46C4A7F4E3CD6EEAF5683363D77F628BEE6D1A88772201494B9D9F0F84E8F
SHA-512:	7E4559EFB86DAFA4173226027C161C99502595C6C1469E4C0DB14A7C766351E06329B07344AFE1DDD42EACB770E28B730E1B6A89EAE8117599B31773E223BDB1
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{e09f9e21-e068-4b9b-8dfc-8a424beb8b9c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732457944233,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate.....wtartTim..P09004...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...16141,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1606
Entropy (8bit):	6.356450415719222
Encrypted:	false
SSDEEP:	24:vkSUGlcAxSm3LXnIgMw/pnxQwRls6ZspHsRGH3j6xiMctdL/5QH2oXpMurD/I0DO:cpOxHlnRTZYjGxHc5kpMgwcR4
MD5:	4266D2BC482DDE1A5F4365CC2291F3D7
SHA1:	3535243A7A3D2D8279C6625D263E43B18D5337DC
SHA-256:	91F46C4A7F4E3CD6EEAF5683363D77F628BEE6D1A88772201494B9D9F0F84E8F
SHA-512:	7E4559EFB86DAFA4173226027C161C99502595C6C1469E4C0DB14A7C766351E06329B07344AFE1DDD42EACB770E28B730E1B6A89EAE8117599B31773E223BDB1
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{e09f9e21-e068-4b9b-8dfc-8a424beb8b9c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732457944233,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..jUpdate.....wtartTim..P09004...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...16141,"originA...

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.03423685509762
Encrypted:	false
SSDEEP:	48:YrSAYE6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycEyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	807FEB27BABD8991B361BDEA7B365056
SHA1:	77802730EB06E4AA13A208FF88872F88EAAD1933
SHA-256:	48FE7E3D6D6A7E881B4EF3B1B8CBF4D4F2C99658DC3D4DF3361E3E866889ED47
SHA-512:	EA4D38D1968CEE4249A75F142B0C462B537526C7965DD0412E21097BFD4C50F49ED007C35F969D6B474D3F5F22F083AFB131DC8781E64BF9A0DEED184738D5B4
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T14:18:44.812Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.03423685509762
Encrypted:	false
SSDEEP:	48:YrSAYE6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:ycEyTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	807FEB27BABD8991B361BDEA7B365056
SHA1:	77802730EB06E4AA13A208FF88872F88EAAD1933
SHA-256:	48FE7E3D6D6A7E881B4EF3B1B8CBF4D4F2C99658DC3D4DF3361E3E866889ED47
SHA-512:	EA4D38D1968CEE4249A75F142B0C462B537526C7965DD0412E21097BFD4C50F49ED007C35F969D6B474D3F5F22F083AFB131DC8781E64BF9A0DEED184738D5B4
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-24T14:18:44.812Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.590275242916394
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	921'600 bytes
MD5:	76f39bc0a5718af31e2c979ee0da0837
SHA1:	1ee9012e6af8e840de04056e864f0e04a8410d29
SHA256:	ead531012a862454556b9efaa303298922ea6b27ae8865827dcacfa586b4c590
SHA512:	e22d760ac2bedcd2e67295e05035cf8a7a257ec22132746acd3613964610c40f3b61eff0ab5dcb45f4246cc3abc8511da1c186a608ee69018a95de1f2d485c82
SSDEEP:	12288:PqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgadTC:PqDEvCTbMWu7rQYlBQcBiT6rprG8aZC
TLSH:	55159E0273D1C062FF9B92334B5AF6515BBC69260123E61F13A81DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67431CE7 [Sun Nov 24 12:32:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FB2110E06B3h
jmp 00007FB2110DFFBFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB2110E019Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB2110E016Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FB2110E2D5Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FB2110E2DA8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FB2110E2D91h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa53c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa53c	0xa600	00bca7ed0ac2b43f41c613074503e861	False	0.35824548192771083	data	5.570221574537985	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1804	data			1.0017891997397528
RT_GROUP_ICON	0xddfbc	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde034	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde048	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde05c	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde070	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde14c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 13:47:45.656888008 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:47:45.656970978 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 13:47:45.661078930 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:47:45.666222095 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:47:45.666258097 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 13:47:46.981514931 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 13:47:46.988495111 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:47:47.027292967 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:47:47.027345896 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 13:47:47.027421951 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:47:47.028100014 CET	443	49736	35.190.72.216	192.168.2.4
Nov 24, 2024 13:47:47.028163910 CET	49736	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:47:48.419025898 CET	49738	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:48.419138908 CET	443	49738	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:48.421089888 CET	49738	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:48.423360109 CET	49738	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:48.423398018 CET	443	49738	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:48.557135105 CET	49739	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:48.557208061 CET	443	49739	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:48.558202982 CET	49739	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:48.559777975 CET	49739	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:48.559815884 CET	443	49739	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:48.735740900 CET	49740	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:48.855381012 CET	80	49740	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:48.857916117 CET	49740	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:48.858061075 CET	49740	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:48.977591991 CET	80	49740	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:49.016563892 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:49.016613007 CET	443	49742	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:49.017297029 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:49.018716097 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:49.018733978 CET	443	49742	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:49.022769928 CET	49743	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:49.022779942 CET	443	49743	35.244.181.201	192.168.2.4
Nov 24, 2024 13:47:49.023004055 CET	49743	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:49.023468018 CET	49743	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:49.023488045 CET	443	49743	35.244.181.201	192.168.2.4
Nov 24, 2024 13:47:49.024852037 CET	49744	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:49.024888039 CET	443	49744	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:49.025072098 CET	49744	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:49.027061939 CET	49744	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:49.027087927 CET	443	49744	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:49.399302006 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:49.399334908 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 13:47:49.399952888 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:49.400171041 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:49.400186062 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 13:47:49.943579912 CET	80	49740	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:50.039160967 CET	49740	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:50.189017057 CET	443	49738	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:50.189122915 CET	49738	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:50.190007925 CET	443	49738	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:50.190083981 CET	49738	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:50.194434881 CET	49738	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:50.194463968 CET	443	49738	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:50.194544077 CET	49738	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:50.194740057 CET	443	49738	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:50.194883108 CET	49738	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:50.202181101 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:50.261449099 CET	443	49744	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:50.261543036 CET	49744	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:50.265582085 CET	49744	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:50.265599966 CET	443	49744	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:50.265666962 CET	49744	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:50.265924931 CET	443	49744	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:50.266002893 CET	49744	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:50.288295031 CET	443	49742	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:50.290570021 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:50.294589043 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:50.294604063 CET	443	49742	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:50.294652939 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:50.294806957 CET	443	49742	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:50.296150923 CET	49742	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:50.322350025 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:50.322454929 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:50.322592020 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:50.337193966 CET	443	49743	35.244.181.201	192.168.2.4
Nov 24, 2024 13:47:50.337265015 CET	49743	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:50.340094090 CET	49743	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:50.340101957 CET	443	49743	35.244.181.201	192.168.2.4
Nov 24, 2024 13:47:50.340420008 CET	443	49743	35.244.181.201	192.168.2.4
Nov 24, 2024 13:47:50.342704058 CET	49743	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:50.342770100 CET	49743	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:50.343028069 CET	443	49743	35.244.181.201	192.168.2.4
Nov 24, 2024 13:47:50.343072891 CET	49743	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:50.343522072 CET	443	49739	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:50.343605042 CET	49739	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:50.344108105 CET	443	49739	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:50.344167948 CET	49739	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:50.347649097 CET	49739	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:50.347661972 CET	443	49739	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:50.347735882 CET	49739	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:50.347791910 CET	443	49739	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:50.347841978 CET	49739	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:50.348042011 CET	49747	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:50.348076105 CET	443	49747	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:50.348145962 CET	49747	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:50.349281073 CET	49747	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:50.349298000 CET	443	49747	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:50.442922115 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:50.533953905 CET	49740	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:50.556379080 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:50.556423903 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:50.578234911 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:50.579567909 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:50.579581022 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:50.582297087 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:50.620057106 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 13:47:50.620146036 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:50.623073101 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:50.623083115 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 13:47:50.623421907 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 13:47:50.625250101 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:50.625355005 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:50.625456095 CET	443	49745	34.160.144.191	192.168.2.4
Nov 24, 2024 13:47:50.625694990 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:50.625739098 CET	443	49750	34.160.144.191	192.168.2.4
Nov 24, 2024 13:47:50.627612114 CET	49745	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:50.627655029 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:50.627804995 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:50.627821922 CET	443	49750	34.160.144.191	192.168.2.4
Nov 24, 2024 13:47:50.656322002 CET	80	49740	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:50.658421993 CET	49740	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:50.701792002 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:50.701869011 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:50.702018023 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:50.822710991 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:51.308686972 CET	49753	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:47:51.308748960 CET	443	49753	34.107.243.93	192.168.2.4
Nov 24, 2024 13:47:51.309061050 CET	49753	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:47:51.310656071 CET	49753	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:47:51.310676098 CET	443	49753	34.107.243.93	192.168.2.4
Nov 24, 2024 13:47:51.351331949 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:51.351396084 CET	443	49754	35.244.181.201	192.168.2.4
Nov 24, 2024 13:47:51.352952957 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:51.353096962 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:51.353112936 CET	443	49754	35.244.181.201	192.168.2.4
Nov 24, 2024 13:47:51.365601063 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:51.365633965 CET	443	49755	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:51.365786076 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:51.367311001 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:51.367325068 CET	443	49755	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:51.373568058 CET	49756	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:47:51.373579979 CET	443	49756	34.149.100.209	192.168.2.4
Nov 24, 2024 13:47:51.373732090 CET	49756	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:47:51.375087023 CET	49756	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:47:51.375097036 CET	443	49756	34.149.100.209	192.168.2.4
Nov 24, 2024 13:47:51.500591993 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:51.500899076 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:51.620991945 CET	80	49746	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:51.621057034 CET	49746	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:51.835155010 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:51.856709957 CET	49757	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:51.896027088 CET	443	49750	34.160.144.191	192.168.2.4
Nov 24, 2024 13:47:51.896105051 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:51.898607016 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:51.898639917 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:51.899264097 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:51.899286032 CET	443	49750	34.160.144.191	192.168.2.4
Nov 24, 2024 13:47:51.899429083 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:51.899549007 CET	443	49750	34.160.144.191	192.168.2.4
Nov 24, 2024 13:47:51.903629065 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:51.903707027 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:51.903779984 CET	443	49750	34.160.144.191	192.168.2.4
Nov 24, 2024 13:47:51.904611111 CET	49750	443	192.168.2.4	34.160.144.191
Nov 24, 2024 13:47:51.905440092 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:51.905446053 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:51.905553102 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:51.905692101 CET	443	49748	34.117.188.166	192.168.2.4
Nov 24, 2024 13:47:51.905775070 CET	49748	443	192.168.2.4	34.117.188.166
Nov 24, 2024 13:47:51.907501936 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:51.976310015 CET	80	49757	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:51.980931997 CET	49757	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:51.981069088 CET	49757	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:52.029490948 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:52.101861000 CET	80	49757	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:52.104700089 CET	443	49747	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:52.105185032 CET	49747	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:52.107189894 CET	443	49747	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:52.107379913 CET	49747	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:52.111126900 CET	49747	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:52.111139059 CET	443	49747	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:52.111227036 CET	49747	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:52.111566067 CET	443	49747	142.250.181.142	192.168.2.4
Nov 24, 2024 13:47:52.111818075 CET	49747	443	192.168.2.4	142.250.181.142
Nov 24, 2024 13:47:52.235004902 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:52.250598907 CET	49757	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:52.253406048 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:52.337017059 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:52.373008966 CET	80	49758	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:52.373091936 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:52.373238087 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:52.410551071 CET	80	49757	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:52.492714882 CET	80	49758	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:52.586647034 CET	443	49753	34.107.243.93	192.168.2.4
Nov 24, 2024 13:47:52.586724997 CET	49753	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:47:52.591784000 CET	49753	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:47:52.591809034 CET	443	49753	34.107.243.93	192.168.2.4
Nov 24, 2024 13:47:52.591865063 CET	49753	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:47:52.592048883 CET	443	49753	34.107.243.93	192.168.2.4
Nov 24, 2024 13:47:52.592104912 CET	49753	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:47:52.596293926 CET	443	49755	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:52.596363068 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:52.600769997 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:52.600775003 CET	443	49755	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:52.600847960 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:52.601116896 CET	443	49755	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:52.601171017 CET	49755	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:52.617482901 CET	443	49754	35.244.181.201	192.168.2.4
Nov 24, 2024 13:47:52.617552042 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:52.619852066 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:52.619862080 CET	443	49754	35.244.181.201	192.168.2.4
Nov 24, 2024 13:47:52.620177984 CET	443	49754	35.244.181.201	192.168.2.4
Nov 24, 2024 13:47:52.622322083 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:52.622374058 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:52.622505903 CET	443	49754	35.244.181.201	192.168.2.4
Nov 24, 2024 13:47:52.622581959 CET	49754	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:47:52.653846979 CET	443	49756	34.149.100.209	192.168.2.4
Nov 24, 2024 13:47:52.653912067 CET	49756	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:47:52.657555103 CET	49756	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:47:52.657558918 CET	443	49756	34.149.100.209	192.168.2.4
Nov 24, 2024 13:47:52.657603025 CET	49756	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:47:52.657660007 CET	443	49756	34.149.100.209	192.168.2.4
Nov 24, 2024 13:47:52.657785892 CET	49756	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:47:52.947210073 CET	80	49757	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:52.947295904 CET	49757	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:53.551691055 CET	80	49758	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:53.593846083 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:56.025480032 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:56.145092964 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:56.349410057 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:56.402755022 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:56.910713911 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:56.910742998 CET	443	49760	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:56.911813974 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:56.914073944 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:56.914084911 CET	443	49760	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:58.174293041 CET	443	49760	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:58.174381018 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:58.178256989 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:58.178265095 CET	443	49760	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:58.178318977 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:58.178467989 CET	443	49760	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:58.178534985 CET	49760	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:59.411096096 CET	49764	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:47:59.411159039 CET	443	49764	34.149.100.209	192.168.2.4
Nov 24, 2024 13:47:59.411834002 CET	49764	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:47:59.413136959 CET	49764	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:47:59.413166046 CET	443	49764	34.149.100.209	192.168.2.4
Nov 24, 2024 13:47:59.505455971 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:59.523874044 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:59.523948908 CET	443	49765	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:59.523994923 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:59.524044991 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:59.524221897 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:59.524318933 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:59.524324894 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:59.524357080 CET	443	49765	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:59.524406910 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:59.524420023 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:59.618524075 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:47:59.620307922 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:59.620342016 CET	443	49767	34.120.208.123	192.168.2.4
Nov 24, 2024 13:47:59.620598078 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:47:59.787087917 CET	80	49758	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:59.787278891 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:47:59.990895987 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:00.000576973 CET	80	49758	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:00.042417049 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:00.042505980 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:00.810301065 CET	443	49764	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:00.810383081 CET	49764	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:00.946356058 CET	443	49765	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:00.946552038 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:00.946707010 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:00.949188948 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:01.095221996 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:01.095273972 CET	443	49767	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:01.099663973 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:01.099684954 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:01.100617886 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:01.101730108 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:01.101757050 CET	443	49765	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:01.102677107 CET	443	49765	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:01.104482889 CET	49764	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:01.104521036 CET	443	49764	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:01.104557991 CET	49764	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:01.104655027 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:01.104717970 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:01.105113029 CET	443	49764	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:01.105137110 CET	443	49766	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:01.106369019 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:01.106441021 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:01.106775999 CET	443	49765	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:01.106961012 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:01.106982946 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:01.107002974 CET	49764	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:01.107007980 CET	49766	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:01.107702017 CET	49765	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:02.357839108 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:02.358280897 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:02.360654116 CET	49769	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:02.360692978 CET	443	49769	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:02.361490965 CET	49769	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:02.361622095 CET	49769	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:02.361632109 CET	443	49769	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:02.443866014 CET	443	49767	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:02.443950891 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:02.477451086 CET	80	49758	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:02.477905035 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:02.681509972 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:02.690820932 CET	80	49758	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:02.709067106 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:02.709112883 CET	443	49767	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:02.709161043 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:02.709362984 CET	443	49767	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:02.709496021 CET	49767	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:02.734420061 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:02.734426022 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:03.034261942 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:03.036753893 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:03.036772966 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:03.042524099 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:03.153873920 CET	80	49758	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:03.155364037 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:03.155380011 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:03.157649040 CET	49771	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:03.157663107 CET	443	49771	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:03.158416986 CET	49771	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:03.161058903 CET	49771	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:03.161071062 CET	443	49771	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:03.200984955 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:03.320554972 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:03.367490053 CET	80	49758	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:03.420805931 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:03.530286074 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:03.583590031 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:03.671401978 CET	443	49769	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:03.671467066 CET	49769	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:03.745731115 CET	49769	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:03.745744944 CET	443	49769	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:03.746786118 CET	443	49769	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:03.806334972 CET	49769	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:03.904360056 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:03.906510115 CET	49769	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:03.906590939 CET	49769	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:03.907013893 CET	443	49769	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:03.907938004 CET	49769	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:03.910238981 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.024233103 CET	80	49758	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:04.030121088 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:04.234612942 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:04.235362053 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.237947941 CET	80	49758	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:04.238399982 CET	49773	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.238487959 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.285610914 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.355730057 CET	80	49758	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:04.355875015 CET	49758	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.357992887 CET	80	49773	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:04.359910965 CET	49773	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.360086918 CET	49773	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.423255920 CET	443	49771	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:04.423331976 CET	49771	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:04.426575899 CET	49771	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:04.426582098 CET	443	49771	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:04.427531004 CET	443	49771	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:04.429547071 CET	49771	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:04.429547071 CET	49771	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:04.429908991 CET	443	49771	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:04.430244923 CET	49771	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:04.431504965 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.468065023 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:04.468141079 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:04.472368956 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:04.472374916 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:04.472460032 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:04.472538948 CET	443	49770	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:04.472841024 CET	49770	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:04.480376005 CET	80	49773	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:04.551429033 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:04.754801035 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:04.755460978 CET	49773	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.758816957 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.809185028 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.878364086 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:04.878460884 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.878611088 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:04.918428898 CET	80	49773	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:04.998060942 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:05.251858950 CET	80	49773	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:05.251923084 CET	49773	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:06.057401896 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:06.112884998 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:14.016295910 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:14.016343117 CET	443	49775	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:14.021621943 CET	49776	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:48:14.021677017 CET	443	49776	35.190.72.216	192.168.2.4
Nov 24, 2024 13:48:14.067253113 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:14.067406893 CET	49776	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:48:14.067543030 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:14.067559958 CET	443	49775	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:14.069679022 CET	49776	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:48:14.069716930 CET	443	49776	35.190.72.216	192.168.2.4
Nov 24, 2024 13:48:14.132649899 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:14.132688999 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:14.133024931 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:14.136349916 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:14.136367083 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:14.161065102 CET	49778	443	192.168.2.4	35.201.103.21
Nov 24, 2024 13:48:14.161164045 CET	443	49778	35.201.103.21	192.168.2.4
Nov 24, 2024 13:48:14.161410093 CET	49778	443	192.168.2.4	35.201.103.21
Nov 24, 2024 13:48:14.162767887 CET	49778	443	192.168.2.4	35.201.103.21
Nov 24, 2024 13:48:14.162805080 CET	443	49778	35.201.103.21	192.168.2.4
Nov 24, 2024 13:48:14.253802061 CET	49779	443	192.168.2.4	151.101.1.91
Nov 24, 2024 13:48:14.253825903 CET	443	49779	151.101.1.91	192.168.2.4
Nov 24, 2024 13:48:14.253894091 CET	49779	443	192.168.2.4	151.101.1.91
Nov 24, 2024 13:48:14.253983021 CET	49779	443	192.168.2.4	151.101.1.91
Nov 24, 2024 13:48:14.253998041 CET	443	49779	151.101.1.91	192.168.2.4
Nov 24, 2024 13:48:14.681179047 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:14.681263924 CET	443	49780	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:14.681545973 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:14.683027029 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:14.683063030 CET	443	49780	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:14.761445999 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:14.881016970 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:15.325534105 CET	443	49775	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:15.325551987 CET	443	49775	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:15.325618982 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:15.329592943 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:15.329624891 CET	443	49775	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:15.329951048 CET	443	49775	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:15.333280087 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:15.333393097 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:15.333467007 CET	443	49775	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:15.335102081 CET	443	49776	35.190.72.216	192.168.2.4
Nov 24, 2024 13:48:15.335135937 CET	443	49776	35.190.72.216	192.168.2.4
Nov 24, 2024 13:48:15.337276936 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:15.338166952 CET	49775	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:15.338205099 CET	49776	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:48:15.344055891 CET	49776	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:48:15.344079018 CET	443	49776	35.190.72.216	192.168.2.4
Nov 24, 2024 13:48:15.344145060 CET	49776	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:48:15.344439983 CET	443	49776	35.190.72.216	192.168.2.4
Nov 24, 2024 13:48:15.344573021 CET	49776	443	192.168.2.4	35.190.72.216
Nov 24, 2024 13:48:15.372978926 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:15.373058081 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.376059055 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.376069069 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:15.376828909 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:15.379364014 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.379462957 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.379729033 CET	443	49777	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:15.381454945 CET	49777	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.449995995 CET	443	49778	35.201.103.21	192.168.2.4
Nov 24, 2024 13:48:15.450069904 CET	49778	443	192.168.2.4	35.201.103.21
Nov 24, 2024 13:48:15.455384970 CET	49778	443	192.168.2.4	35.201.103.21
Nov 24, 2024 13:48:15.455418110 CET	443	49778	35.201.103.21	192.168.2.4
Nov 24, 2024 13:48:15.455459118 CET	49778	443	192.168.2.4	35.201.103.21
Nov 24, 2024 13:48:15.455605030 CET	443	49778	35.201.103.21	192.168.2.4
Nov 24, 2024 13:48:15.455756903 CET	49778	443	192.168.2.4	35.201.103.21
Nov 24, 2024 13:48:15.456851959 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:15.468408108 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:15.468432903 CET	443	49781	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:15.468590975 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:15.468674898 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:15.468689919 CET	443	49781	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:15.586477995 CET	443	49779	151.101.1.91	192.168.2.4
Nov 24, 2024 13:48:15.586574078 CET	49779	443	192.168.2.4	151.101.1.91
Nov 24, 2024 13:48:15.590737104 CET	49779	443	192.168.2.4	151.101.1.91
Nov 24, 2024 13:48:15.590745926 CET	443	49779	151.101.1.91	192.168.2.4
Nov 24, 2024 13:48:15.590949059 CET	443	49779	151.101.1.91	192.168.2.4
Nov 24, 2024 13:48:15.593137980 CET	49779	443	192.168.2.4	151.101.1.91
Nov 24, 2024 13:48:15.593244076 CET	49779	443	192.168.2.4	151.101.1.91
Nov 24, 2024 13:48:15.593259096 CET	443	49779	151.101.1.91	192.168.2.4
Nov 24, 2024 13:48:15.593429089 CET	49779	443	192.168.2.4	151.101.1.91
Nov 24, 2024 13:48:15.603800058 CET	49782	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.603836060 CET	443	49782	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:15.604715109 CET	49782	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.604938984 CET	49783	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.604963064 CET	443	49783	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:15.605048895 CET	49782	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.605061054 CET	443	49782	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:15.605386019 CET	49783	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.605505943 CET	49783	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.605515003 CET	443	49783	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:15.607009888 CET	49784	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.607063055 CET	443	49784	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:15.607239962 CET	49784	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.607377052 CET	49784	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:15.607414007 CET	443	49784	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:15.660367966 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:15.663049936 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:15.702596903 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:15.782665968 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:15.901395082 CET	443	49780	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:15.901467085 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:15.905972004 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:15.905999899 CET	443	49780	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:15.906066895 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:15.906267881 CET	443	49780	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:15.914464951 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:15.918159008 CET	49780	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:15.996248007 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:16.034209967 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:16.041230917 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:16.274524927 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:16.285737991 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:16.319937944 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:16.406496048 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:16.619896889 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:16.674194098 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:16.743697882 CET	443	49781	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:16.743937016 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:16.748241901 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:16.748251915 CET	443	49781	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:16.748573065 CET	443	49781	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:16.751220942 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:16.751348972 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:16.751390934 CET	443	49781	34.149.100.209	192.168.2.4
Nov 24, 2024 13:48:16.752310991 CET	49781	443	192.168.2.4	34.149.100.209
Nov 24, 2024 13:48:16.754201889 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:16.873728991 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:16.889106035 CET	443	49782	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:16.889312983 CET	49782	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.893049002 CET	49782	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.893093109 CET	443	49782	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:16.893424988 CET	443	49782	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:16.893923998 CET	443	49783	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:16.893996954 CET	49783	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.897105932 CET	49783	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.897110939 CET	443	49783	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:16.898015976 CET	443	49783	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:16.899379015 CET	49782	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.899456024 CET	49782	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.899558067 CET	443	49782	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:16.900367022 CET	49782	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.900763988 CET	49783	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.900840998 CET	49783	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.901129961 CET	443	49783	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:16.901192904 CET	49783	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.931641102 CET	443	49784	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:16.931735039 CET	49784	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.935411930 CET	49784	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.935436010 CET	443	49784	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:16.935668945 CET	443	49784	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:16.938184023 CET	49784	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.938299894 CET	49784	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:16.938339949 CET	443	49784	35.244.181.201	192.168.2.4
Nov 24, 2024 13:48:16.938796043 CET	49784	443	192.168.2.4	35.244.181.201
Nov 24, 2024 13:48:17.091562986 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:17.096740961 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:17.144397974 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:17.217124939 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:17.430394888 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:17.476520061 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:27.103974104 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:27.436189890 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:27.840507984 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:27.840538979 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:36.490329027 CET	49786	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:36.490369081 CET	443	49786	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:36.491486073 CET	49786	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:36.492897034 CET	49786	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:36.492913008 CET	443	49786	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:37.797162056 CET	443	49786	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:37.797252893 CET	49786	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:37.801177979 CET	49786	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:37.801183939 CET	443	49786	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:37.801280975 CET	49786	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:37.801357985 CET	443	49786	34.107.243.93	192.168.2.4
Nov 24, 2024 13:48:37.801485062 CET	49786	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:48:37.803499937 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:37.851264000 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:37.851273060 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:37.926866055 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:37.973649979 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:38.044722080 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:38.130898952 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:38.133779049 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:38.174248934 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:38.258693933 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:38.472538948 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:38.522196054 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:44.115052938 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:44.115087986 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:44.115238905 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:44.115294933 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:44.115977049 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:44.116082907 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:44.116095066 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:44.116110086 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:44.116266012 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:44.116283894 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:44.215286970 CET	49802	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:44.215303898 CET	443	49802	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:44.223202944 CET	49802	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:44.223332882 CET	49802	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:44.223340034 CET	443	49802	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.332056046 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.333138943 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.336627960 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.336637974 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.337022066 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.339046001 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.339160919 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.339221001 CET	443	49801	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.341574907 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.341589928 CET	49801	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.345578909 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:45.424921989 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.425007105 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.428160906 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.428170919 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.428941011 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.430712938 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.430814981 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.431046009 CET	443	49800	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.431521893 CET	49800	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.465101004 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:45.490360022 CET	443	49802	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.490396023 CET	443	49802	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.490560055 CET	49802	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.493442059 CET	49802	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.493462086 CET	443	49802	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.493771076 CET	443	49802	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.496148109 CET	49802	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.496236086 CET	49802	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.496310949 CET	443	49802	34.120.208.123	192.168.2.4
Nov 24, 2024 13:48:45.496383905 CET	49802	443	192.168.2.4	34.120.208.123
Nov 24, 2024 13:48:45.668503046 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:45.670985937 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:45.711499929 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:45.790522099 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:46.004021883 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:46.059176922 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:48.125591993 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:48.245121002 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:48.449577093 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:48.452891111 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:48.503968954 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:48.573689938 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:48.787204981 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:48.836050987 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:58.462595940 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:58.582237959 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:48:58.794620991 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:48:58.914999008 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:08.591727972 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:08.712735891 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:08.923854113 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:09.043411016 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:18.193880081 CET	49881	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:49:18.193926096 CET	443	49881	34.107.243.93	192.168.2.4
Nov 24, 2024 13:49:18.194056034 CET	49881	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:49:18.195517063 CET	49881	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:49:18.195550919 CET	443	49881	34.107.243.93	192.168.2.4
Nov 24, 2024 13:49:18.721148968 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:18.841753960 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:19.053220987 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:19.173147917 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:19.459619045 CET	443	49881	34.107.243.93	192.168.2.4
Nov 24, 2024 13:49:19.459745884 CET	49881	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:49:19.464735985 CET	49881	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:49:19.464757919 CET	443	49881	34.107.243.93	192.168.2.4
Nov 24, 2024 13:49:19.464879990 CET	49881	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:49:19.465003014 CET	443	49881	34.107.243.93	192.168.2.4
Nov 24, 2024 13:49:19.465753078 CET	49881	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:49:19.467499971 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:19.587058067 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:19.791090965 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:19.794233084 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:19.839931965 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:19.913836002 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:20.128026962 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:20.172035933 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:29.799637079 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:29.919220924 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:30.131737947 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:30.251359940 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:39.928251028 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:40.049488068 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:40.260391951 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:40.379998922 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:50.057014942 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:50.176537991 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:49:50.389208078 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:49:50.514802933 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:00.185596943 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:50:00.306230068 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:00.517816067 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:50:00.637402058 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:10.314707041 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:50:10.434449911 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:10.646614075 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:50:10.766191959 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:20.443603992 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:50:20.563308001 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:20.775708914 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:50:20.895272017 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:30.572438955 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:50:30.692028046 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:30.906888008 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:50:31.026467085 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:40.065836906 CET	50059	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:50:40.065937042 CET	443	50059	34.107.243.93	192.168.2.4
Nov 24, 2024 13:50:40.066026926 CET	50059	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:50:40.068200111 CET	50059	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:50:40.068234921 CET	443	50059	34.107.243.93	192.168.2.4
Nov 24, 2024 13:50:40.701414108 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:50:40.821566105 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:41.033420086 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:50:41.155642986 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:41.285381079 CET	443	50059	34.107.243.93	192.168.2.4
Nov 24, 2024 13:50:41.285490990 CET	50059	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:50:41.291146994 CET	50059	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:50:41.291167974 CET	443	50059	34.107.243.93	192.168.2.4
Nov 24, 2024 13:50:41.291297913 CET	443	50059	34.107.243.93	192.168.2.4
Nov 24, 2024 13:50:41.291306973 CET	50059	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:50:41.291338921 CET	443	50059	34.107.243.93	192.168.2.4
Nov 24, 2024 13:50:41.293927908 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:50:41.413633108 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:41.495335102 CET	443	50059	34.107.243.93	192.168.2.4
Nov 24, 2024 13:50:41.498796940 CET	50059	443	192.168.2.4	34.107.243.93
Nov 24, 2024 13:50:41.617324114 CET	80	49749	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:41.621090889 CET	49774	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:50:41.657452106 CET	49749	80	192.168.2.4	34.107.221.82
Nov 24, 2024 13:50:41.745770931 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:41.960381031 CET	80	49774	34.107.221.82	192.168.2.4
Nov 24, 2024 13:50:42.005204916 CET	49774	80	192.168.2.4	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2024 13:47:45.701787949 CET	53080	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:45.840349913 CET	53	53080	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:45.841331005 CET	51857	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:45.985430956 CET	53	51857	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:48.273391962 CET	64236	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:48.273798943 CET	58155	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:48.413284063 CET	53	64236	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:48.419909000 CET	53719	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:48.424539089 CET	49815	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:48.559710979 CET	53	53719	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:48.564660072 CET	53	49815	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:48.576291084 CET	63927	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:48.578583002 CET	59996	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:48.716173887 CET	53	63927	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:48.718434095 CET	53	59996	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:48.878055096 CET	55781	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:48.885250092 CET	49664	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:49.015645981 CET	53	55781	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:49.016858101 CET	63268	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:49.023355007 CET	53	49664	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:49.029400110 CET	56535	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:49.029514074 CET	58002	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:49.154129028 CET	53	63268	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:49.155200005 CET	61228	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:49.167395115 CET	53	58002	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:49.167587996 CET	53	56535	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:49.169009924 CET	61470	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:49.169425011 CET	54022	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:49.212073088 CET	49793	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:49.292707920 CET	53	61228	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:49.306642056 CET	53	61470	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:49.307091951 CET	53	54022	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:49.350326061 CET	53	49793	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:49.399867058 CET	62834	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:49.538722992 CET	53	62834	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:49.667911053 CET	54491	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:49.805799007 CET	53	54491	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:49.995682001 CET	58695	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:49.999293089 CET	51807	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:50.061511993 CET	63311	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:50.134001017 CET	53	58695	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:50.136553049 CET	53	51807	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:50.761171103 CET	54003	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:50.852025032 CET	55156	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:50.990449905 CET	53	55156	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:50.991930962 CET	55038	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:51.130587101 CET	53	55038	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:51.134902954 CET	57236	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:51.210890055 CET	64998	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:51.271974087 CET	53	57236	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:51.349164009 CET	53	64998	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:51.373629093 CET	56595	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:51.395780087 CET	65424	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:51.511199951 CET	53	56595	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:51.514691114 CET	64141	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:51.534181118 CET	53	65424	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:51.534812927 CET	51453	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:51.571764946 CET	53	56539	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:51.657973051 CET	53	64141	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:51.675709009 CET	53	51453	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:55.614202976 CET	51665	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:55.752058983 CET	53	51665	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:55.753228903 CET	59299	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:55.891644001 CET	53	59299	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:55.892669916 CET	52125	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:56.031711102 CET	53	52125	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:59.383497953 CET	50204	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:59.485707998 CET	53765	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:59.486074924 CET	61033	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:59.521392107 CET	53	50204	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:59.523936987 CET	63359	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:47:59.630840063 CET	53	53765	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:59.631473064 CET	53	61033	1.1.1.1	192.168.2.4
Nov 24, 2024 13:47:59.804483891 CET	53	63359	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:01.094757080 CET	58748	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:01.095016956 CET	62016	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:01.096185923 CET	53202	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:01.235955000 CET	53	58748	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:01.236593008 CET	56075	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:01.238187075 CET	53	53202	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:01.238647938 CET	64342	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:01.240071058 CET	53	62016	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:01.240838051 CET	62834	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:01.375806093 CET	53	56075	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:01.378586054 CET	53	64342	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:01.387857914 CET	53	62834	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:01.663511038 CET	53301	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:01.663568020 CET	56411	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:01.805222988 CET	53	56411	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:01.806099892 CET	56899	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:01.808821917 CET	53	53301	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:01.813400984 CET	61618	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:01.944163084 CET	53	56899	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:01.944785118 CET	53059	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:02.033301115 CET	53	61618	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:02.034049034 CET	60672	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:02.083997011 CET	53	53059	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:02.252403021 CET	53	60672	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:03.037245035 CET	61253	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:03.177306890 CET	53	61253	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:14.012048006 CET	56519	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:14.022291899 CET	62812	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:14.133096933 CET	55471	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:14.160156965 CET	53	62812	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:14.161458015 CET	64123	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:14.252640963 CET	53	56519	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:14.281224966 CET	53	55471	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:14.281908035 CET	59190	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:14.282329082 CET	49472	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:14.308515072 CET	53	64123	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:14.309098005 CET	49228	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:14.428668022 CET	53	59190	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:14.428678989 CET	53	49472	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:14.429332972 CET	56077	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:14.449215889 CET	53	49228	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:14.540672064 CET	58256	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:14.568100929 CET	53	56077	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:14.680218935 CET	53	58256	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:14.681495905 CET	54409	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:14.819281101 CET	53	54409	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:36.490714073 CET	49430	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:36.628451109 CET	53	49430	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:44.115570068 CET	53333	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:48:44.253457069 CET	53	53333	1.1.1.1	192.168.2.4
Nov 24, 2024 13:48:45.346276045 CET	61224	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:49:18.037100077 CET	51619	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:49:18.192842960 CET	53	51619	1.1.1.1	192.168.2.4
Nov 24, 2024 13:49:18.193758011 CET	60592	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:49:18.330718994 CET	53	60592	1.1.1.1	192.168.2.4
Nov 24, 2024 13:50:39.786346912 CET	50243	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:50:39.924676895 CET	53	50243	1.1.1.1	192.168.2.4
Nov 24, 2024 13:50:39.925964117 CET	52596	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:50:40.064708948 CET	53	52596	1.1.1.1	192.168.2.4
Nov 24, 2024 13:50:40.065546036 CET	64873	53	192.168.2.4	1.1.1.1
Nov 24, 2024 13:50:40.203361034 CET	53	64873	1.1.1.1	192.168.2.4
Nov 24, 2024 13:50:41.294099092 CET	64248	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2024 13:47:45.701787949 CET	192.168.2.4	1.1.1.1	0x169f	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:45.841331005 CET	192.168.2.4	1.1.1.1	0x2bc1	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 13:47:48.273391962 CET	192.168.2.4	1.1.1.1	0x8df8	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:48.273798943 CET	192.168.2.4	1.1.1.1	0x45d0	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:48.419909000 CET	192.168.2.4	1.1.1.1	0xc2c	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:48.424539089 CET	192.168.2.4	1.1.1.1	0x88ef	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:48.576291084 CET	192.168.2.4	1.1.1.1	0x8418	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 24, 2024 13:47:48.578583002 CET	192.168.2.4	1.1.1.1	0x3f18	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 13:47:48.878055096 CET	192.168.2.4	1.1.1.1	0xe55e	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:48.885250092 CET	192.168.2.4	1.1.1.1	0xfc86	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.016858101 CET	192.168.2.4	1.1.1.1	0x50f3	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.029400110 CET	192.168.2.4	1.1.1.1	0xde94	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.029514074 CET	192.168.2.4	1.1.1.1	0xe0b7	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.155200005 CET	192.168.2.4	1.1.1.1	0x14ef	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 13:47:49.169009924 CET	192.168.2.4	1.1.1.1	0x8eb9	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 13:47:49.169425011 CET	192.168.2.4	1.1.1.1	0x5f6e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 13:47:49.212073088 CET	192.168.2.4	1.1.1.1	0x51ef	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.399867058 CET	192.168.2.4	1.1.1.1	0x5951	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.667911053 CET	192.168.2.4	1.1.1.1	0xae5e	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 13:47:49.995682001 CET	192.168.2.4	1.1.1.1	0x5b22	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.999293089 CET	192.168.2.4	1.1.1.1	0xf317	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:50.061511993 CET	192.168.2.4	1.1.1.1	0x17aa	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:50.761171103 CET	192.168.2.4	1.1.1.1	0xd55b	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:50.852025032 CET	192.168.2.4	1.1.1.1	0x3e1c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:50.991930962 CET	192.168.2.4	1.1.1.1	0xb060	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:51.134902954 CET	192.168.2.4	1.1.1.1	0x486f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 13:47:51.210890055 CET	192.168.2.4	1.1.1.1	0xf871	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:51.373629093 CET	192.168.2.4	1.1.1.1	0x78df	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:51.395780087 CET	192.168.2.4	1.1.1.1	0xaf0e	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:51.514691114 CET	192.168.2.4	1.1.1.1	0xbf84	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 13:47:51.534812927 CET	192.168.2.4	1.1.1.1	0x19cc	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 13:47:55.614202976 CET	192.168.2.4	1.1.1.1	0x6901	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:55.753228903 CET	192.168.2.4	1.1.1.1	0xa81	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:55.892669916 CET	192.168.2.4	1.1.1.1	0xe754	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 13:47:59.383497953 CET	192.168.2.4	1.1.1.1	0xf468	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 13:47:59.485707998 CET	192.168.2.4	1.1.1.1	0xc7e1	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.486074924 CET	192.168.2.4	1.1.1.1	0xcd0b	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.523936987 CET	192.168.2.4	1.1.1.1	0x92a9	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.094757080 CET	192.168.2.4	1.1.1.1	0xbd35	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.095016956 CET	192.168.2.4	1.1.1.1	0x7b7d	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.096185923 CET	192.168.2.4	1.1.1.1	0xf891	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.236593008 CET	192.168.2.4	1.1.1.1	0x5903	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 24, 2024 13:48:01.238647938 CET	192.168.2.4	1.1.1.1	0x6099	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 24, 2024 13:48:01.240838051 CET	192.168.2.4	1.1.1.1	0x8d0d	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 24, 2024 13:48:01.663511038 CET	192.168.2.4	1.1.1.1	0xc417	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.663568020 CET	192.168.2.4	1.1.1.1	0xc349	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.806099892 CET	192.168.2.4	1.1.1.1	0x4a79	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.813400984 CET	192.168.2.4	1.1.1.1	0x3a73	Standard query (0)	dualstack.reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.944785118 CET	192.168.2.4	1.1.1.1	0x5fec	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 24, 2024 13:48:02.034049034 CET	192.168.2.4	1.1.1.1	0x7b0f	Standard query (0)	dualstack.reddit.map.fastly.net	28	IN (0x0001)	false
Nov 24, 2024 13:48:03.037245035 CET	192.168.2.4	1.1.1.1	0xb72d	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 13:48:14.012048006 CET	192.168.2.4	1.1.1.1	0x8966	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.022291899 CET	192.168.2.4	1.1.1.1	0xb7df	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.133096933 CET	192.168.2.4	1.1.1.1	0xb0e3	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.161458015 CET	192.168.2.4	1.1.1.1	0x5a2e	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.281908035 CET	192.168.2.4	1.1.1.1	0x17d3	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 24, 2024 13:48:14.282329082 CET	192.168.2.4	1.1.1.1	0x407d	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.309098005 CET	192.168.2.4	1.1.1.1	0xfa41	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 13:48:14.429332972 CET	192.168.2.4	1.1.1.1	0xad83	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 24, 2024 13:48:14.540672064 CET	192.168.2.4	1.1.1.1	0xe549	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.681495905 CET	192.168.2.4	1.1.1.1	0x4970	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 13:48:36.490714073 CET	192.168.2.4	1.1.1.1	0x9747	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 13:48:44.115570068 CET	192.168.2.4	1.1.1.1	0x503b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 13:48:45.346276045 CET	192.168.2.4	1.1.1.1	0xa8e4	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:49:18.037100077 CET	192.168.2.4	1.1.1.1	0x47ca	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:49:18.193758011 CET	192.168.2.4	1.1.1.1	0x8e60	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 13:50:39.786346912 CET	192.168.2.4	1.1.1.1	0xb59b	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:50:39.925964117 CET	192.168.2.4	1.1.1.1	0xb1a3	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:50:40.065546036 CET	192.168.2.4	1.1.1.1	0x41a1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 24, 2024 13:50:41.294099092 CET	192.168.2.4	1.1.1.1	0xf348	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 24, 2024 13:47:45.632975101 CET	1.1.1.1	192.168.2.4	0x3aae	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:45.840349913 CET	1.1.1.1	192.168.2.4	0x169f	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:48.413284063 CET	1.1.1.1	192.168.2.4	0x8df8	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:48.413943052 CET	1.1.1.1	192.168.2.4	0x45d0	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:48.413943052 CET	1.1.1.1	192.168.2.4	0x45d0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:48.559710979 CET	1.1.1.1	192.168.2.4	0xc2c	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:48.564660072 CET	1.1.1.1	192.168.2.4	0x88ef	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:48.716173887 CET	1.1.1.1	192.168.2.4	0x8418	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 24, 2024 13:47:48.718434095 CET	1.1.1.1	192.168.2.4	0x3f18	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 13:47:49.015645981 CET	1.1.1.1	192.168.2.4	0xe55e	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.021872044 CET	1.1.1.1	192.168.2.4	0x5fde	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:49.021872044 CET	1.1.1.1	192.168.2.4	0x5fde	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.023355007 CET	1.1.1.1	192.168.2.4	0xfc86	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:49.023355007 CET	1.1.1.1	192.168.2.4	0xfc86	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.154129028 CET	1.1.1.1	192.168.2.4	0x50f3	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.167395115 CET	1.1.1.1	192.168.2.4	0xe0b7	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.167587996 CET	1.1.1.1	192.168.2.4	0xde94	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.350326061 CET	1.1.1.1	192.168.2.4	0x51ef	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:49.350326061 CET	1.1.1.1	192.168.2.4	0x51ef	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:49.350326061 CET	1.1.1.1	192.168.2.4	0x51ef	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.538722992 CET	1.1.1.1	192.168.2.4	0x5951	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:49.805799007 CET	1.1.1.1	192.168.2.4	0xae5e	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 24, 2024 13:47:50.134001017 CET	1.1.1.1	192.168.2.4	0x5b22	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:50.136553049 CET	1.1.1.1	192.168.2.4	0xf317	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:50.136553049 CET	1.1.1.1	192.168.2.4	0xf317	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:50.201267004 CET	1.1.1.1	192.168.2.4	0x17aa	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:50.201267004 CET	1.1.1.1	192.168.2.4	0x17aa	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:50.990449905 CET	1.1.1.1	192.168.2.4	0x3e1c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:51.002861023 CET	1.1.1.1	192.168.2.4	0xd55b	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:51.130587101 CET	1.1.1.1	192.168.2.4	0xb060	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:51.336114883 CET	1.1.1.1	192.168.2.4	0x374b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:51.344360113 CET	1.1.1.1	192.168.2.4	0x21a	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:51.344360113 CET	1.1.1.1	192.168.2.4	0x21a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:51.349164009 CET	1.1.1.1	192.168.2.4	0xf871	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:51.349164009 CET	1.1.1.1	192.168.2.4	0xf871	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:51.511199951 CET	1.1.1.1	192.168.2.4	0x78df	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:51.534181118 CET	1.1.1.1	192.168.2.4	0xaf0e	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:55.752058983 CET	1.1.1.1	192.168.2.4	0x6901	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:55.752058983 CET	1.1.1.1	192.168.2.4	0x6901	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:55.752058983 CET	1.1.1.1	192.168.2.4	0x6901	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:55.891644001 CET	1.1.1.1	192.168.2.4	0xa81	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:56.166444063 CET	1.1.1.1	192.168.2.4	0x97e4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.630840063 CET	1.1.1.1	192.168.2.4	0xc7e1	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:59.630840063 CET	1.1.1.1	192.168.2.4	0xc7e1	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.630840063 CET	1.1.1.1	192.168.2.4	0xc7e1	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.630840063 CET	1.1.1.1	192.168.2.4	0xc7e1	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.630840063 CET	1.1.1.1	192.168.2.4	0xc7e1	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.630840063 CET	1.1.1.1	192.168.2.4	0xc7e1	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.630840063 CET	1.1.1.1	192.168.2.4	0xc7e1	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.630840063 CET	1.1.1.1	192.168.2.4	0xc7e1	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.630840063 CET	1.1.1.1	192.168.2.4	0xc7e1	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.630840063 CET	1.1.1.1	192.168.2.4	0xc7e1	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.630840063 CET	1.1.1.1	192.168.2.4	0xc7e1	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.630840063 CET	1.1.1.1	192.168.2.4	0xc7e1	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.631473064 CET	1.1.1.1	192.168.2.4	0xcd0b	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:59.631473064 CET	1.1.1.1	192.168.2.4	0xcd0b	No error (0)	star-mini.c10r.facebook.com		157.240.195.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:47:59.804483891 CET	1.1.1.1	192.168.2.4	0x92a9	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:47:59.804483891 CET	1.1.1.1	192.168.2.4	0x92a9	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.235955000 CET	1.1.1.1	192.168.2.4	0xbd35	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.235955000 CET	1.1.1.1	192.168.2.4	0xbd35	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.235955000 CET	1.1.1.1	192.168.2.4	0xbd35	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.235955000 CET	1.1.1.1	192.168.2.4	0xbd35	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.235955000 CET	1.1.1.1	192.168.2.4	0xbd35	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.235955000 CET	1.1.1.1	192.168.2.4	0xbd35	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.235955000 CET	1.1.1.1	192.168.2.4	0xbd35	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.235955000 CET	1.1.1.1	192.168.2.4	0xbd35	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.235955000 CET	1.1.1.1	192.168.2.4	0xbd35	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.235955000 CET	1.1.1.1	192.168.2.4	0xbd35	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.235955000 CET	1.1.1.1	192.168.2.4	0xbd35	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.235955000 CET	1.1.1.1	192.168.2.4	0xbd35	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.238187075 CET	1.1.1.1	192.168.2.4	0xf891	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.240071058 CET	1.1.1.1	192.168.2.4	0x7b7d	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.375806093 CET	1.1.1.1	192.168.2.4	0x5903	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 13:48:01.375806093 CET	1.1.1.1	192.168.2.4	0x5903	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 13:48:01.375806093 CET	1.1.1.1	192.168.2.4	0x5903	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 13:48:01.375806093 CET	1.1.1.1	192.168.2.4	0x5903	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 24, 2024 13:48:01.378586054 CET	1.1.1.1	192.168.2.4	0x6099	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 24, 2024 13:48:01.387857914 CET	1.1.1.1	192.168.2.4	0x8d0d	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 24, 2024 13:48:01.805222988 CET	1.1.1.1	192.168.2.4	0xc349	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.808821917 CET	1.1.1.1	192.168.2.4	0xc417	No error (0)	www.reddit.com	dualstack.reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:48:01.808821917 CET	1.1.1.1	192.168.2.4	0xc417	No error (0)	dualstack.reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.808821917 CET	1.1.1.1	192.168.2.4	0xc417	No error (0)	dualstack.reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.808821917 CET	1.1.1.1	192.168.2.4	0xc417	No error (0)	dualstack.reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.808821917 CET	1.1.1.1	192.168.2.4	0xc417	No error (0)	dualstack.reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:01.944163084 CET	1.1.1.1	192.168.2.4	0x4a79	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:02.033301115 CET	1.1.1.1	192.168.2.4	0x3a73	No error (0)	dualstack.reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:02.033301115 CET	1.1.1.1	192.168.2.4	0x3a73	No error (0)	dualstack.reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:02.033301115 CET	1.1.1.1	192.168.2.4	0x3a73	No error (0)	dualstack.reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:02.033301115 CET	1.1.1.1	192.168.2.4	0x3a73	No error (0)	dualstack.reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:02.252403021 CET	1.1.1.1	192.168.2.4	0x7b0f	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Nov 24, 2024 13:48:02.252403021 CET	1.1.1.1	192.168.2.4	0x7b0f	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Nov 24, 2024 13:48:02.252403021 CET	1.1.1.1	192.168.2.4	0x7b0f	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Nov 24, 2024 13:48:02.252403021 CET	1.1.1.1	192.168.2.4	0x7b0f	No error (0)	dualstack.reddit.map.fastly.net			28	IN (0x0001)	false
Nov 24, 2024 13:48:14.129723072 CET	1.1.1.1	192.168.2.4	0x257c	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:48:14.129723072 CET	1.1.1.1	192.168.2.4	0x257c	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.160156965 CET	1.1.1.1	192.168.2.4	0xb7df	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:48:14.160156965 CET	1.1.1.1	192.168.2.4	0xb7df	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.252640963 CET	1.1.1.1	192.168.2.4	0x8966	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.252640963 CET	1.1.1.1	192.168.2.4	0x8966	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.252640963 CET	1.1.1.1	192.168.2.4	0x8966	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.252640963 CET	1.1.1.1	192.168.2.4	0x8966	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.281224966 CET	1.1.1.1	192.168.2.4	0xb0e3	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.308515072 CET	1.1.1.1	192.168.2.4	0x5a2e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.428678989 CET	1.1.1.1	192.168.2.4	0x407d	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.428678989 CET	1.1.1.1	192.168.2.4	0x407d	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.428678989 CET	1.1.1.1	192.168.2.4	0x407d	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.428678989 CET	1.1.1.1	192.168.2.4	0x407d	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:14.568100929 CET	1.1.1.1	192.168.2.4	0xad83	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 13:48:14.568100929 CET	1.1.1.1	192.168.2.4	0xad83	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 13:48:14.568100929 CET	1.1.1.1	192.168.2.4	0xad83	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 13:48:14.568100929 CET	1.1.1.1	192.168.2.4	0xad83	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 24, 2024 13:48:14.680218935 CET	1.1.1.1	192.168.2.4	0xe549	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:17.470221043 CET	1.1.1.1	192.168.2.4	0xfef6	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:48:17.470221043 CET	1.1.1.1	192.168.2.4	0xfef6	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:48:44.352740049 CET	1.1.1.1	192.168.2.4	0x1fe8	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:48:45.485872984 CET	1.1.1.1	192.168.2.4	0xa8e4	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:48:45.485872984 CET	1.1.1.1	192.168.2.4	0xa8e4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:49:18.192842960 CET	1.1.1.1	192.168.2.4	0x47ca	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:50:39.924676895 CET	1.1.1.1	192.168.2.4	0xb59b	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:50:40.064708948 CET	1.1.1.1	192.168.2.4	0xb1a3	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 24, 2024 13:50:41.431549072 CET	1.1.1.1	192.168.2.4	0xf348	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 24, 2024 13:50:41.431549072 CET	1.1.1.1	192.168.2.4	0xf348	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	3084	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 13:47:48.858061075 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:47:49.943579912 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 68977 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	34.107.221.82	80	3084	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 13:47:50.322592020 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:47:51.500591993 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 61674 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	3084	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 13:47:50.702018023 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:47:51.835155010 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 68979 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:47:51.907501936 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:47:52.235004902 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 68980 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:47:56.025480032 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:47:56.349410057 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 68984 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:47:59.618524075 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:47:59.990895987 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 68987 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:48:02.358280897 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:48:02.681509972 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 68990 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:48:03.200984955 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:48:03.530286074 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 68991 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:48:03.910238981 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:48:04.234612942 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 68992 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:48:04.431504965 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:48:04.754801035 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 68992 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:48:14.761445999 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:48:15.337276936 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:48:15.660367966 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 69003 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:48:15.914464951 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:48:16.274524927 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 69004 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:48:16.754201889 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:48:17.091562986 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 69004 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:48:27.103974104 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:48:37.803499937 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:48:37.851264000 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:48:38.130898952 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 69025 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:48:45.345578909 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:48:45.668503046 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 69033 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:48:48.125591993 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:48:48.449577093 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 69036 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:48:58.462595940 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:49:08.591727972 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:49:18.721148968 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:49:19.467499971 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:49:19.791090965 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 69067 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 24, 2024 13:49:29.799637079 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:49:39.928251028 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:49:50.057014942 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:50:00.185596943 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:50:41.293927908 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 24, 2024 13:50:41.617324114 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 17:38:12 GMT Age: 69149 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49757	34.107.221.82	80	3084	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 13:47:51.981069088 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49758	34.107.221.82	80	3084	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 13:47:52.373238087 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:47:53.551691055 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 47326 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 13:47:59.505455971 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:48:00.000576973 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 47332 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 13:48:02.357839108 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:48:02.690820932 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 47335 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 13:48:03.034261942 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:48:03.367490053 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 47336 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 13:48:03.904360056 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:48:04.237947941 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 23:39:07 GMT Age: 47337 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49773	34.107.221.82	80	3084	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 13:48:04.360086918 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49774	34.107.221.82	80	3084	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 24, 2024 13:48:04.878611088 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:48:06.057401896 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 61688 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 13:48:15.663049936 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:48:15.996248007 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 61698 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 13:48:16.285737991 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:48:16.619896889 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 61699 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 13:48:17.096740961 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:48:17.430394888 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 61700 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 13:48:27.436189890 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:48:37.851273060 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:48:38.133779049 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:48:38.472538948 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 61721 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 13:48:45.670985937 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:48:46.004021883 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 61728 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 13:48:48.452891111 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:48:48.787204981 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 61731 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 13:48:58.794620991 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:49:08.923854113 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:49:19.053220987 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:49:19.794233084 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:49:20.128026962 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 61762 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 24, 2024 13:49:30.131737947 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:49:40.260391951 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:49:50.389208078 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:50:00.517816067 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:50:10.646614075 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 24, 2024 13:50:41.621090889 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 24, 2024 13:50:41.960381031 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 19:39:57 GMT Age: 61844 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	07:47:38
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x720000
File size:	921'600 bytes
MD5 hash:	76F39BC0A5718AF31E2C979EE0DA0837
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1735321055.0000000001060000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:47:38
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x2e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:47:38
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:47:40
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x2e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:47:40
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:47:40
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x2e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:47:40
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:47:41
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x2e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	07:47:41
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:47:41
Start date:	24/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x2e0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:47:41
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:47:41
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:47:41
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:47:41
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	07:47:42
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d4c19da-07e9-4e1a-9ce2-f4e466361ce6} 3084 "\\.\pipe\gecko-crash-server-pipe.3084" 1f18e16ef10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	07:47:44
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 3880 -prefMapHandle 2888 -prefsLen 26208 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5f226f1-1a1c-41d2-bbb4-bf72ea27501c} 3084 "\\.\pipe\gecko-crash-server-pipe.3084" 1f18e182a10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	07:47:50
Start date:	24/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2612 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dce7259-bfc2-44f9-b9ca-cb65ac3e711e} 3084 "\\.\pipe\gecko-crash-server-pipe.3084" 1f1a07c7510 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.8%
Total number of Nodes:	1512
Total number of Limit Nodes:	55

Executed Functions

Function 007242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0072430D

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

GetCurrentProcess.KERNEL32(?,007BCB64,00000000,?,?), ref: 00724422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00724429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00724454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00724466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00724474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0072447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007244A0

Strings

kernel32.dll, xrefs: 0072444F
|O, xrefs: 007636F8
GetNativeSystemInfo, xrefs: 00724460

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f902f13b2c1899890fba82d93ab3f64d3e5d0f993230a005efafad1f771ed1df
Instruction ID: c8d1e2d4b949a932aa2a8ed207e9cbec3f177ef42452b1ecac9425bd3a5fb38d
Opcode Fuzzy Hash: f902f13b2c1899890fba82d93ab3f64d3e5d0f993230a005efafad1f771ed1df
Instruction Fuzzy Hash: 2DA1937690A2D4DFC712D76DBC856B57FE46F36300F98D8A9D48593A22D23C4608CB2D

Function 007242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007250AA,?,?,00000000,00000000), ref: 007242B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007250AA,?,?,00000000,00000000), ref: 007242C9
LoadResource.KERNEL32(?,00000000,?,?,007250AA,?,?,00000000,00000000,?,?,?,?,?,?,00724F20), ref: 007635BE
SizeofResource.KERNEL32(?,00000000,?,?,007250AA,?,?,00000000,00000000,?,?,?,?,?,?,00724F20), ref: 007635D3
LockResource.KERNEL32(007250AA,?,?,007250AA,?,?,00000000,00000000,?,?,?,?,?,?,00724F20,?), ref: 007635E6

Strings

SCRIPT, xrefs: 007242BF

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2ce7ab4081e2a6c447f27ae9aa3d24e5cb3768d782398a50ea21fd75600a7b82
Instruction ID: 2ebce564676b447562d207669c883d56f89e96743ec9bf5d1b5e1868c5f2f734
Opcode Fuzzy Hash: 2ce7ab4081e2a6c447f27ae9aa3d24e5cb3768d782398a50ea21fd75600a7b82
Instruction Fuzzy Hash: 5C113C71200711FFDB228B66EC49F677BB9FBC5B51F148269B406D6250DB75DC009670

Function 00762BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00722B6B

Part of subcall function 00723A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007F1418,?,00722E7F,?,?,?,00000000), ref: 00723A78

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,007E2224), ref: 00762C10
ShellExecuteW.SHELL32(00000000,?,?,007E2224), ref: 00762C17

Strings

runas, xrefs: 00762C0B

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 726bae685b6968d0726863647ff01b7aabd99b75ca428a3532d67a146aea61ee
Instruction ID: 20bc5a98b93de211c06de6e692841e395a45a50e661725c05dc2678d1e3a19bf
Opcode Fuzzy Hash: 726bae685b6968d0726863647ff01b7aabd99b75ca428a3532d67a146aea61ee
Instruction Fuzzy Hash: 7D110671208395EAC714FF60F859DBEB7A8ABD4300F48482DF186170A3DF2D8A4AC712

Function 0078D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0078D501
Process32FirstW.KERNEL32(00000000,?), ref: 0078D50F
Process32NextW.KERNEL32(00000000,?), ref: 0078D52F
CloseHandle.KERNELBASE(00000000), ref: 0078D5DC

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b480af3dedc14eaf02ba11b54844831212d42abbb7368f9cd6140e770bf032ce
Instruction ID: 46ebd2bad62f20633bb877a18dfc751a37aa7ceab84be8208878adc0a277866a
Opcode Fuzzy Hash: b480af3dedc14eaf02ba11b54844831212d42abbb7368f9cd6140e770bf032ce
Instruction Fuzzy Hash: BD31B171008304DFD311EF54D889EAFBBE8EF99354F14492DF581921A1EB759948CBA2

Function 0078DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00765222), ref: 0078DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0078DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0078DBEE
FindClose.KERNEL32(00000000), ref: 0078DBFA

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 106e2c03fc25f79306996e6f682a61dbb351f58b54c1487ba7da8afded9bcdb1
Instruction ID: ff589d564d9033de721c1137a94fb0da77cd748aa1cc778f7a0da08e7eafab48
Opcode Fuzzy Hash: 106e2c03fc25f79306996e6f682a61dbb351f58b54c1487ba7da8afded9bcdb1
Instruction Fuzzy Hash: 9EF0A0308509145B9231BB7CAC0D9AA376CAE01334F10C702F836C20E0EBB85D5486A9

Function 00744CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007528E9,?,00744CBE,007528E9,007E88B8,0000000C,00744E15,007528E9,00000002,00000000,?,007528E9), ref: 00744D09
TerminateProcess.KERNEL32(00000000,?,00744CBE,007528E9,007E88B8,0000000C,00744E15,007528E9,00000002,00000000,?,007528E9), ref: 00744D10
ExitProcess.KERNEL32 ref: 00744D22

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 507bed53f00e7e72bcedf458f7a0adeecd3cf86e63ec3cd54c6a15fd31a6d920
Instruction ID: 5a80d977b009f50edb8bd3595c16f1ab132b7a68868ee0299b65b81772e57ffc
Opcode Fuzzy Hash: 507bed53f00e7e72bcedf458f7a0adeecd3cf86e63ec3cd54c6a15fd31a6d920
Instruction Fuzzy Hash: 17E0B631500548ABCF12AF64DD09F583BA9EB41781B50C118FD059B132CB7DDD42DE84

Function 007AAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 007AB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007AB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007AB1D4
_wcslen.LIBCMT ref: 007AB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007AB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007AB236
_wcslen.LIBCMT ref: 007AB332

Part of subcall function 007905A7: GetStdHandle.KERNEL32(000000F6), ref: 007905C6

_wcslen.LIBCMT ref: 007AB34B
_wcslen.LIBCMT ref: 007AB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007AB3B6
GetLastError.KERNEL32(00000000), ref: 007AB407
CloseHandle.KERNEL32(?), ref: 007AB439
CloseHandle.KERNEL32(00000000), ref: 007AB44A
CloseHandle.KERNEL32(00000000), ref: 007AB45C
CloseHandle.KERNEL32(00000000), ref: 007AB46E
CloseHandle.KERNEL32(?), ref: 007AB4E3

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 9e7e4b4beb5cc8960129704cb3d54e9288532f591869ab59a7ec00b16d98fb50
Instruction ID: fac0e82384fe7c0ff06aa9393bbfb3e8c6764cef624df5bafd96e4264112c4f7
Opcode Fuzzy Hash: 9e7e4b4beb5cc8960129704cb3d54e9288532f591869ab59a7ec00b16d98fb50
Instruction Fuzzy Hash: 24F19C31508350DFCB14EF24D895B6EBBE5AF86310F14865DF8899B2A2CB39EC44CB52

Function 0072D730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0072D807
timeGetTime.WINMM ref: 0072DA07
Sleep.KERNELBASE(0000000A), ref: 0072DBB1
Sleep.KERNEL32(0000000A), ref: 00772B76
GetExitCodeProcess.KERNEL32(?,?), ref: 00772C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 00772C29
CloseHandle.KERNEL32(?), ref: 00772C3D
Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00772CA9

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: f4cd977ffbe465f5015a48bfa74cc658beb044434fbadede2caeef4931944063
Instruction ID: 6113fa0cb12c6cc222c48194a9cc4d75bf88114bb0477b145eca2ddcf0a1ebb8
Opcode Fuzzy Hash: f4cd977ffbe465f5015a48bfa74cc658beb044434fbadede2caeef4931944063
Instruction Fuzzy Hash: A942DE70608251DFDB39CF24D858BAAB7A1BF85300F54C619E4A987292D77CEC85CB92

Function 00722CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00722D07
RegisterClassExW.USER32(00000030), ref: 00722D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00722D42
InitCommonControlsEx.COMCTL32(?), ref: 00722D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00722D6F
LoadIconW.USER32(000000A9), ref: 00722D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00722D94

Strings

0, xrefs: 00722CE9
TaskbarCreated, xrefs: 00722D37
AutoIt v3 GUI, xrefs: 00722D23
+, xrefs: 00722CF0

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 06dd06aa01317eafe0786cd8d5e1b1ee4c124fa52bc50bcdb7cebc309166a320
Instruction ID: 3390620c4d28192796d540927520a0b8a533137ade6a1f54eed73119a89a4cc3
Opcode Fuzzy Hash: 06dd06aa01317eafe0786cd8d5e1b1ee4c124fa52bc50bcdb7cebc309166a320
Instruction Fuzzy Hash: 4621E3B1901248EFDB01DFA4EC89BEDBBB4FB08700F00C21AF551A62A0D7B95540CF98

Function 0076065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0076039A: CreateFileW.KERNELBASE(00000000,00000000,?,00760704,?,?,00000000,?,00760704,00000000,0000000C), ref: 007603B7

GetLastError.KERNEL32 ref: 0076076F
__dosmaperr.LIBCMT ref: 00760776
GetFileType.KERNELBASE(00000000), ref: 00760782
GetLastError.KERNEL32 ref: 0076078C
__dosmaperr.LIBCMT ref: 00760795
CloseHandle.KERNEL32(00000000), ref: 007607B5
CloseHandle.KERNEL32(?), ref: 007608FF
GetLastError.KERNEL32 ref: 00760931
__dosmaperr.LIBCMT ref: 00760938

Strings

H, xrefs: 007608BD

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fca185340ae4979225542883ef82a1a0118ae34b2d704771e19e0459aa602bd2
Instruction ID: 5f588f9084845882dd785aeee614efdd45709330a0f459ba79fcf233a4c0ae52
Opcode Fuzzy Hash: fca185340ae4979225542883ef82a1a0118ae34b2d704771e19e0459aa602bd2
Instruction Fuzzy Hash: 9EA12632A141098FDF19EF68D855BAE3BE0AB06320F14415DFC169B392DB399D12CBD2

Function 0072344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00723A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007F1418,?,00722E7F,?,?,?,00000000), ref: 00723A78

Part of subcall function 00723357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00723379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0072356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0076318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007631CE
RegCloseKey.ADVAPI32(?), ref: 00763210
_wcslen.LIBCMT ref: 00763277
_wcslen.LIBCMT ref: 00763286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00723560
Include, xrefs: 00763184, 007631C5
\, xrefs: 0076328C
\Include\, xrefs: 00723527

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 4c8269236df5f107feadbc44501416f909135d19704789a50a41229a87cbc7fc
Instruction ID: f65f74c83e052af104cc488cc11002fb9a003ebf4aeba75fc6498ae772ee4125
Opcode Fuzzy Hash: 4c8269236df5f107feadbc44501416f909135d19704789a50a41229a87cbc7fc
Instruction Fuzzy Hash: 12718CB1404315AFC314EF29EC859ABBBE8FF85740F40842EF54587162EB3C9A49CB66

Function 00722B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00722B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00722B9D
LoadIconW.USER32(00000063), ref: 00722BB3
LoadIconW.USER32(000000A4), ref: 00722BC5
LoadIconW.USER32(000000A2), ref: 00722BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00722BEF
RegisterClassExW.USER32(?), ref: 00722C40

Part of subcall function 00722CD4: GetSysColorBrush.USER32(0000000F), ref: 00722D07
Part of subcall function 00722CD4: RegisterClassExW.USER32(00000030), ref: 00722D31
Part of subcall function 00722CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00722D42
Part of subcall function 00722CD4: InitCommonControlsEx.COMCTL32(?), ref: 00722D5F
Part of subcall function 00722CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00722D6F
Part of subcall function 00722CD4: LoadIconW.USER32(000000A9), ref: 00722D85
Part of subcall function 00722CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00722D94

Strings

AutoIt v3, xrefs: 00722C2F
0, xrefs: 00722C0F
#, xrefs: 00722C16

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d5abf2e1cda7d3df26ac4c3d7a3ad39139b669692e6e82097eb983cd8f0cc24e
Instruction ID: cb4cc6ec46db0b637048ea7a8e423426bb28679888bff5694a73e5488d225db3
Opcode Fuzzy Hash: d5abf2e1cda7d3df26ac4c3d7a3ad39139b669692e6e82097eb983cd8f0cc24e
Instruction Fuzzy Hash: 8B214970E00318EBDB119FA6EC59BAA7FB4FF48B50F40C02AF500A66A0D7B90544CF99

Function 00723170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0072316A,?,?), ref: 007231D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0072316A,?,?), ref: 00723204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00723227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0072316A,?,?), ref: 00723232
CreatePopupMenu.USER32 ref: 00723246
PostQuitMessage.USER32(00000000), ref: 00723267

Strings

TaskbarCreated, xrefs: 0072322D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: cc5675a41b6ca15d9f1bec5637d2f423b1044677300b68b51e8bea06c5cc0b37
Instruction ID: 5f52cafda3e0aa371b50fb7e3422e4372a84facd51b6b59217eb992b6db6a02e
Opcode Fuzzy Hash: cc5675a41b6ca15d9f1bec5637d2f423b1044677300b68b51e8bea06c5cc0b37
Instruction Fuzzy Hash: 61416831240268E7DB155B78BC0DB793B69FB05340F448125F942962A2CB7EDA01D7A5

Function 00721410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00721459
CoUninitialize.COMBASE ref: 007214F8
UnregisterHotKey.USER32(?), ref: 007216DD
DestroyWindow.USER32(?), ref: 007624B9
FreeLibrary.KERNEL32(?), ref: 0076251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0076254B

Strings

close all, xrefs: 00721454

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 74db183a397c8d07058fb19f2cb3b1bb66ca550a270d94950a8d6e09d2fda760
Instruction ID: 0c042aa72a7440c28014c503a9db873f0522b695569b53e2ba47eabc9fd91222
Opcode Fuzzy Hash: 74db183a397c8d07058fb19f2cb3b1bb66ca550a270d94950a8d6e09d2fda760
Instruction Fuzzy Hash: B4D15E31701622CFDB29EF15D499A29F7A0BF15700F5481ADE84B6B262DB38AD23CF51

Function 00722C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00722C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00722CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00721CAD,?), ref: 00722CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00721CAD,?), ref: 00722CCF

Strings

AutoIt v3, xrefs: 00722C89, 00722C8E, 00722C8F
edit, xrefs: 00722CAC

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 9f76eef8d5e629ea30ebfc2871bbdd783a59ac970424b8b37c3dbce3f904ecd7
Instruction ID: 91f5d9841d3d6f522be1225caf1a6e8f3fbdabd323edf60c6b50e8fedd30314f
Opcode Fuzzy Hash: 9f76eef8d5e629ea30ebfc2871bbdd783a59ac970424b8b37c3dbce3f904ecd7
Instruction Fuzzy Hash: 36F0DA76540290BAEB311717AC08FB72FBDEBC7F60F40805AF900A65A0C6691850DAB8

Function 00723B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00723B0F,SwapMouseButtons,00000004,?), ref: 00723B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00723B0F,SwapMouseButtons,00000004,?), ref: 00723B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00723B0F,SwapMouseButtons,00000004,?), ref: 00723B83

Strings

Control Panel\Mouse, xrefs: 00723B3E

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 7cb4a3db43f3b861f09aa1ae88ac4ccae78065330f8126ebdecad70a99325254
Instruction ID: 04d77e192a6958401f2ee389c901895f426ea9c31c3a88b6cf8ced05c85c5bf0
Opcode Fuzzy Hash: 7cb4a3db43f3b861f09aa1ae88ac4ccae78065330f8126ebdecad70a99325254
Instruction Fuzzy Hash: 74113CB5511218FFDB21CFA5EC44EAFB7B8EF04744B108559F805D7110E2399F409B64

Function 00723923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007633A2

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00723A04

Strings

Line: , xrefs: 007633EB

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 6a9556f3a570ff58158e13ee822ddb96c9deaeeb87fbcb2d19ff28512f1638c7
Instruction ID: b48c4435345498e48cc8086aa46799009977f596edd0bf8f8718595c615fa9b7
Opcode Fuzzy Hash: 6a9556f3a570ff58158e13ee822ddb96c9deaeeb87fbcb2d19ff28512f1638c7
Instruction Fuzzy Hash: 0D31D671508324EAC725EB10EC49FEBB7E8AF45714F00892AF59983191DB7CAB48C7C6

Function 00722DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00762C8C

Part of subcall function 00723AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00723A97,?,?,00722E7F,?,?,?,00000000), ref: 00723AC2

Part of subcall function 00722DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00722DC4

Strings

X, xrefs: 00762C5A
`e~, xrefs: 00762C85

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e~
API String ID: 779396738-116474759
Opcode ID: a62d3a87dfe1d2cdf1bb1ff7017ee34f0b11e24fbbc79165cd2d65d9f770560f
Instruction ID: 0e81d08a930ebbd188800462949c1d3f7e69b1b53ccfe3cc2f5748dbdd16d890
Opcode Fuzzy Hash: a62d3a87dfe1d2cdf1bb1ff7017ee34f0b11e24fbbc79165cd2d65d9f770560f
Instruction Fuzzy Hash: 7021A871E00298DFCB41EF94D849BEE7BF89F59314F108059E405B7241DBBC9A498FA1

Function 0073FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00740668

Part of subcall function 007432A4: RaiseException.KERNEL32(?,?,?,0074068A,?,007F1444,?,?,?,?,?,?,0074068A,00721129,007E8738,00721129), ref: 00743304

__CxxThrowException@8.LIBVCRUNTIME ref: 00740685

Strings

Unknown exception, xrefs: 00740692

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a41c68bd28f83587730a56f1b1a1f86ea88a564edf709494e6f197edbccb4c7d
Instruction ID: a501e48105a08dabe7d77c2cae4c0ae13dbdf1e7dca25dbfdcfa5a82cde4229a
Opcode Fuzzy Hash: a41c68bd28f83587730a56f1b1a1f86ea88a564edf709494e6f197edbccb4c7d
Instruction Fuzzy Hash: E9F0C234A0020DF78B04BAA4E85ED9E776CAE40350B604571FA28D6592EF79DA25C9C1

Function 007210F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00721BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00721BF4
Part of subcall function 00721BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00721BFC
Part of subcall function 00721BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00721C07
Part of subcall function 00721BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00721C12
Part of subcall function 00721BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00721C1A
Part of subcall function 00721BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00721C22

Part of subcall function 00721B4A: RegisterWindowMessageW.USER32(00000004,?,007212C4), ref: 00721BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0072136A
OleInitialize.OLE32 ref: 00721388
CloseHandle.KERNEL32(00000000,00000000), ref: 007624AB

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3c6ed16ce67ff6fa11e112c06a5988ff0e582659edac748fd48be6266f620f26
Instruction ID: bf62d18c0ec71db43896bf1f69eaadb855d99c551bab93adb811885103527df7
Opcode Fuzzy Hash: 3c6ed16ce67ff6fa11e112c06a5988ff0e582659edac748fd48be6266f620f26
Instruction Fuzzy Hash: 4971BAB4911244CFC384EF7AA9496B53BE0BB98394FD4C23A901ACB361EB3C5464CF59

Function 0078C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00723923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00723A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0078C259
KillTimer.USER32(?,00000001,?,?), ref: 0078C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0078C270

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: b45a5aa14ac286fda8c4d99fd64489768310c5cdeb5c43e74a9565d07eaf6610
Instruction ID: a5d2e9b89efe0365298e6ef654930c98209d175e6c7dfdbf52e29f0156daddd4
Opcode Fuzzy Hash: b45a5aa14ac286fda8c4d99fd64489768310c5cdeb5c43e74a9565d07eaf6610
Instruction Fuzzy Hash: A931C570944354AFEB63DF648895BE7BBECAF06304F00449AD2DA97281C7785A84CB61

Function 007586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007585CC,?,007E8CC8,0000000C), ref: 00758704
GetLastError.KERNEL32(?,007585CC,?,007E8CC8,0000000C), ref: 0075870E
__dosmaperr.LIBCMT ref: 00758739

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 2b687e4edb5f2f8d4800d429dca7a008ef7a5e5009c69f419ef6d4cf832491fc
Instruction ID: 272203a1b18634cf762b54a6057a686ebee5238308768226784257c439a15874
Opcode Fuzzy Hash: 2b687e4edb5f2f8d4800d429dca7a008ef7a5e5009c69f419ef6d4cf832491fc
Instruction Fuzzy Hash: 9B016F32A0512057D3E062345849BFE27858F8177AF390119FC08AB1D3DEEC8C89C196

Function 0072DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0072DB7B
DispatchMessageW.USER32(?), ref: 0072DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0072DB9F
Sleep.KERNELBASE(0000000A), ref: 0072DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00771CC9

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 557ebf54fa5325152ce14f9dcf714e2bdf6ebc96a101b6bf3af1b576eee1e00e
Instruction ID: 0f55269cc50eb36be42bb04360b9ab28896978b7dce2d384297f1c662120ce28
Opcode Fuzzy Hash: 557ebf54fa5325152ce14f9dcf714e2bdf6ebc96a101b6bf3af1b576eee1e00e
Instruction Fuzzy Hash: 40F0FE70644344DBEB31CBA49D59FEA73A8EF45350F50CA19E65AC70D0DB389448DB29

Function 00731310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007317F6

Strings

CALL, xrefs: 007317C6

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 12fff90e4289308adda7766eec8b7085058523b4f2eb135291e9a63a31fb63f9
Instruction ID: 7f8201e6b445e19e7f75915679012978b02eb561c58deb4f45d7b4d4e9937579
Opcode Fuzzy Hash: 12fff90e4289308adda7766eec8b7085058523b4f2eb135291e9a63a31fb63f9
Instruction Fuzzy Hash: DB229C70608241DFE714CF24C494B2ABBF1BF89354F58896DF49A8B362D739E851CB92

Function 00723837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00723908

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 029711f6678928d706e623ce61ad52804a0b99b890e514d111a2cfb09350cc9e
Instruction ID: fa460d3dd64a4316ec8cbd49538652c644c161a2cd25f493a84aaacb94951948
Opcode Fuzzy Hash: 029711f6678928d706e623ce61ad52804a0b99b890e514d111a2cfb09350cc9e
Instruction Fuzzy Hash: 1D318E70604311DFD721DF25E885BA7BBE8FF49708F00492EF99A87240E779AA44CB56

Function 0073F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0073F661

Part of subcall function 0072D730: GetInputState.USER32 ref: 0072D807

Sleep.KERNEL32(00000000), ref: 0077F2DE

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 5a6b6c4e973cc10af156f8164da7f2b20be3bab83d21e45be226ff46925173b6
Instruction ID: 1d92f43675a7e71344c89c67e290719f396be40df362727a3a056ed659f30b8b
Opcode Fuzzy Hash: 5a6b6c4e973cc10af156f8164da7f2b20be3bab83d21e45be226ff46925173b6
Instruction Fuzzy Hash: 28F08C71240615EFD310EF69E44AF6AB7E8FF49760F00816AE859CB361DB74AC10CB94

Function 00724ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00724E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00724EDD,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724E9C
Part of subcall function 00724E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00724EAE
Part of subcall function 00724E90: FreeLibrary.KERNEL32(00000000,?,?,00724EDD,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724EFD

Part of subcall function 00724E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00763CDE,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724E62
Part of subcall function 00724E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00724E74
Part of subcall function 00724E59: FreeLibrary.KERNEL32(00000000,?,?,00763CDE,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724E87

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: e6e3be6caeeccae3712aee2345af125ce12833e698611f99a5b2a43241148e08
Instruction ID: 792520d4ce130af3ad5b2cb0a2eb972d193aae8a1bc702f94d6bd84fdb2cd0f6
Opcode Fuzzy Hash: e6e3be6caeeccae3712aee2345af125ce12833e698611f99a5b2a43241148e08
Instruction Fuzzy Hash: 7711E731610215EADF25BB64ED0AFAD77A5AF90710F10842DF542A61C1EE789E059B50

Function 00758402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00758440

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 0be54f061a4d07580ff62ac5d7c21ed8655c96a761a097c4f7228b90c9b487bd
Instruction ID: a6d0d05193b950543cf54989aefba84e13f022b071544477369722613eb0c184
Opcode Fuzzy Hash: 0be54f061a4d07580ff62ac5d7c21ed8655c96a761a097c4f7228b90c9b487bd
Instruction Fuzzy Hash: 8C11487190420AAFCB05DF58E9449DA7BF9EF48300F104059FC09AB312DA71EA15CBA5

Function 0074E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 69a0a7e3601e63cdcea36509edf19cd8a34e53b274920e3b19ab4e53bb975271
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 4CF0F932510A10D7C7313A759C0DB9A339CAF52335F120715F925A21D2CBBCA80686A7

Function 00753820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,007F1444,?,0073FDF5,?,?,0072A976,00000010,007F1440,007213FC,?,007213C6,?,00721129), ref: 00753852

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: de1abf2d43b0123203a80c4fb8a9696e76f74c92494bb81c92b260fdaf1972ff
Instruction ID: 88b945eb180b9cafa0bf354ff7fc03565c177b51ab7697b8ea8cedbfe7eabcc5
Opcode Fuzzy Hash: de1abf2d43b0123203a80c4fb8a9696e76f74c92494bb81c92b260fdaf1972ff
Instruction Fuzzy Hash: 4BE0E532500228AAE73526669C05BDA3748AF427F2F090122BC14A34A0CBDDFD0581F0

Function 00724F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724F6D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 452f2ff7eb37e712b640b12028eedd5683a8d8b079dc831339d2725e0562ca98
Instruction ID: 90f191250c7b339309a274112f986e6df8d903bbafffb3302b1b970ee3edf238
Opcode Fuzzy Hash: 452f2ff7eb37e712b640b12028eedd5683a8d8b079dc831339d2725e0562ca98
Instruction Fuzzy Hash: E1F03971105762CFDB349F64E594C22BBE4FF543293288A7EE2EA82621C7399884DF10

Function 007B2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007B2A66

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 973b2bbd7f1e3431ecb522f2095c795a77d01f18c7e80018c680a01a3e87bc1a
Instruction ID: ff2bdf32d73a172d98b0d1083b73d7acd8bac8d060a503fe276f5440e535ed12
Opcode Fuzzy Hash: 973b2bbd7f1e3431ecb522f2095c795a77d01f18c7e80018c680a01a3e87bc1a
Instruction Fuzzy Hash: B0E04F3679111AAAC714EA30EC84AFA775CEB503957108536EC2AC2101DB38999686A0

Function 007230F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0072314E

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: dd1dfe66974ca7e2e36c2799939f387c6a1374af680a8a58150750eac0f45a84
Instruction ID: 26d7a9ab65a6e31a9314141fd4f71ba0b8ee36373dddb7dc232c7731105c4e9a
Opcode Fuzzy Hash: dd1dfe66974ca7e2e36c2799939f387c6a1374af680a8a58150750eac0f45a84
Instruction Fuzzy Hash: E0F0A770900318DFE7529F24DC4ABE57BBCAB01708F0040E5A14896182D7784B88CF45

Function 00722DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00722DC4

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: ba5ed9a122d7e4c10f8f6f3be3c02674822e77c155be43ad9e0f89b29f44064d
Instruction ID: a315f2fbb7393806e6f5bc61f226c0af8ab3838a18b11e02195121071117a1d4
Opcode Fuzzy Hash: ba5ed9a122d7e4c10f8f6f3be3c02674822e77c155be43ad9e0f89b29f44064d
Instruction Fuzzy Hash: 55E0CD726001245BC72192589C09FDA77DDDFC8790F044172FD09D7248D964AD808550

Function 00722B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00723837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00723908

Part of subcall function 0072D730: GetInputState.USER32 ref: 0072D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00722B6B

Part of subcall function 007230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0072314E

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: af052c0efd621c90ee1b738fd22517f554186df529e579312af25402eca8db6c
Instruction ID: ecb8cdc546d72738508fb1cf8a20fc211e26273305a5aeff68f24394540ada12
Opcode Fuzzy Hash: af052c0efd621c90ee1b738fd22517f554186df529e579312af25402eca8db6c
Instruction Fuzzy Hash: 5BE07D21300268C3CB04BB74B85E57DF349DBD1351F80553EF14243263CF2C89458362

Function 0076039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00760704,?,?,00000000,?,00760704,00000000,0000000C), ref: 007603B7

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d97694007988fc07dc1aa681f7cbaac3945861818c18b0236136c3b024a00991
Instruction ID: 3ced104ee232b417ed0445bbfbd3999aa959d3a7fb51f659969d9bf4d9b468e6
Opcode Fuzzy Hash: d97694007988fc07dc1aa681f7cbaac3945861818c18b0236136c3b024a00991
Instruction Fuzzy Hash: 87D06C3204010DBBDF028F84DD06EDA3BAAFB48714F018100BE1866020C736E821AB94

Function 00721CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00721CBC

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: d58304b879fc9876a710e779fb262a8247f1de00d3129cca0a45220fd4d9bc7c
Instruction ID: 9317a7e43876a6d8625db476f9b0fc5de4d8c27586b67dee229e74fdc081b869
Opcode Fuzzy Hash: d58304b879fc9876a710e779fb262a8247f1de00d3129cca0a45220fd4d9bc7c
Instruction Fuzzy Hash: 06C09B36280305DFF2154780BC5AF207754A748B00F54C001F609555E3C3A51430D658

Non-executed Functions

Function 007B9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007B961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007B965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007B969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007B96C9
SendMessageW.USER32 ref: 007B96F2
GetKeyState.USER32(00000011), ref: 007B978B
GetKeyState.USER32(00000009), ref: 007B9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007B97AE
GetKeyState.USER32(00000010), ref: 007B97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007B97E9
SendMessageW.USER32 ref: 007B9810
SendMessageW.USER32(?,00001030,?,007B7E95), ref: 007B9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007B992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007B9941
SetCapture.USER32(?), ref: 007B994A
ClientToScreen.USER32(?,?), ref: 007B99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007B99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007B99D6
ReleaseCapture.USER32 ref: 007B99E1
GetCursorPos.USER32(?), ref: 007B9A19
ScreenToClient.USER32(?,?), ref: 007B9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 007B9A80
SendMessageW.USER32 ref: 007B9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 007B9AEB
SendMessageW.USER32 ref: 007B9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007B9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007B9B4A
GetCursorPos.USER32(?), ref: 007B9B68
ScreenToClient.USER32(?,?), ref: 007B9B75
GetParent.USER32(?), ref: 007B9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 007B9BFA
SendMessageW.USER32 ref: 007B9C2B
ClientToScreen.USER32(?,?), ref: 007B9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007B9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 007B9CDE
SendMessageW.USER32 ref: 007B9D01
ClientToScreen.USER32(?,?), ref: 007B9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007B9D82

Part of subcall function 00739944: GetWindowLongW.USER32(?,000000EB), ref: 00739952

GetWindowLongW.USER32(?,000000F0), ref: 007B9E05

Strings

F, xrefs: 007B9D07
@GUI_DRAGID, xrefs: 007B997D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: fe166a663b864230e7f765ebc40b89e92d7363c095776964856095184f303871
Instruction ID: 3ee384870f50b21147b78cb656f57412aef2c1a5c2a3f30461adbf583b136868
Opcode Fuzzy Hash: fe166a663b864230e7f765ebc40b89e92d7363c095776964856095184f303871
Instruction Fuzzy Hash: D3428930204250EFDB25CF24CC48FAABBE5EF49314F108659F7A9872A1D779E850CB95

Function 007B4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007B48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 007B4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 007B4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 007B494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 007B495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 007B497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007B49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007B49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 007B4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007B4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007B4A7E
IsMenu.USER32(?), ref: 007B4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007B4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007B4B20
GetWindowLongW.USER32(?,000000F0), ref: 007B4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 007B4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 007B4C82
wsprintfW.USER32 ref: 007B4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007B4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 007B4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007B4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007B4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 007B4D5A

Strings

%d/%02d/%02d, xrefs: 007B4CA8

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: abcf0b6ca048d6d3c924c6f63ead770d13ad1cfd379e92307a0909aa023b8c60
Instruction ID: 16862e48ed9dadf8b630a6d4b30a7296d924fe8e38a2734cc5758ccf1278058e
Opcode Fuzzy Hash: abcf0b6ca048d6d3c924c6f63ead770d13ad1cfd379e92307a0909aa023b8c60
Instruction Fuzzy Hash: 0C12CE71600214ABEB258F28CC49FEE7BF8EF49714F148269F515EB2E2DB789941CB50

Function 0073F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0073F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0077F474
IsIconic.USER32(00000000), ref: 0077F47D
ShowWindow.USER32(00000000,00000009), ref: 0077F48A
SetForegroundWindow.USER32(00000000), ref: 0077F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0077F4AA
GetCurrentThreadId.KERNEL32 ref: 0077F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0077F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0077F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0077F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0077F4DE
SetForegroundWindow.USER32(00000000), ref: 0077F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077F4F6
keybd_event.USER32(00000012,00000000), ref: 0077F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077F50B
keybd_event.USER32(00000012,00000000), ref: 0077F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077F519
keybd_event.USER32(00000012,00000000), ref: 0077F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077F528
keybd_event.USER32(00000012,00000000), ref: 0077F52D
SetForegroundWindow.USER32(00000000), ref: 0077F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0077F557

Strings

Shell_TrayWnd, xrefs: 0077F46F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d6531acb4fc9e86d12dee80d5d74a96a60beb7c237aab988f312bb782671927d
Instruction ID: 21608366442e62f1e8b9abd90398136b58e6625cbcb8ab0a6365630245b3ed05
Opcode Fuzzy Hash: d6531acb4fc9e86d12dee80d5d74a96a60beb7c237aab988f312bb782671927d
Instruction Fuzzy Hash: 1931A671A40218BFEF316BB58C4AFBF7E6CEB44B50F208165FA04E61D1C6B85D10AA64

Function 00781201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0078170D
Part of subcall function 007816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0078173A
Part of subcall function 007816C3: GetLastError.KERNEL32 ref: 0078174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00781286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007812A8
CloseHandle.KERNEL32(?), ref: 007812B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007812D1
GetProcessWindowStation.USER32 ref: 007812EA
SetProcessWindowStation.USER32(00000000), ref: 007812F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00781310

Part of subcall function 007810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007811FC), ref: 007810D4
Part of subcall function 007810BF: CloseHandle.KERNEL32(?,?,007811FC), ref: 007810E9

Strings

winsta0, xrefs: 007812CC
default, xrefs: 0078130B
Z~, xrefs: 00781392
, xrefs: 0078125A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z~
API String ID: 22674027-1148668839
Opcode ID: 654b77d8e2a0f8e9ea20f8826641e3e27bb064221603edc1bd4a762fc0fc5c10
Instruction ID: bd0c77eaf8f605e99064137aa48fba016182c84998f065300489766a9782aafe
Opcode Fuzzy Hash: 654b77d8e2a0f8e9ea20f8826641e3e27bb064221603edc1bd4a762fc0fc5c10
Instruction Fuzzy Hash: A581ADB1940249AFDF21AFA4DC49FEE7BBDEF04704F148129F915E61A0D7398946CB24

Function 00780B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00781114
Part of subcall function 007810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 00781120
Part of subcall function 007810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 0078112F
Part of subcall function 007810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 00781136
Part of subcall function 007810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0078114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00780BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00780C00
GetLengthSid.ADVAPI32(?), ref: 00780C17
GetAce.ADVAPI32(?,00000000,?), ref: 00780C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00780C6D
GetLengthSid.ADVAPI32(?), ref: 00780C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00780C8C
HeapAlloc.KERNEL32(00000000), ref: 00780C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00780CB4
CopySid.ADVAPI32(00000000), ref: 00780CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00780CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00780D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00780D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00780D45
HeapFree.KERNEL32(00000000), ref: 00780D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00780D55
HeapFree.KERNEL32(00000000), ref: 00780D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00780D65
HeapFree.KERNEL32(00000000), ref: 00780D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00780D78
HeapFree.KERNEL32(00000000), ref: 00780D7F

Part of subcall function 00781193: GetProcessHeap.KERNEL32(00000008,00780BB1,?,00000000,?,00780BB1,?), ref: 007811A1
Part of subcall function 00781193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00780BB1,?), ref: 007811A8
Part of subcall function 00781193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00780BB1,?), ref: 007811B7

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4ba9f82c9ee5f0b1f98d23574ac002ee5ac439c4d2565b2b26f061744e2afe33
Instruction ID: def28d6cd5c1dd21b05bc3d52f1bdd514e765c2cc126ac4eab5155f12269b750
Opcode Fuzzy Hash: 4ba9f82c9ee5f0b1f98d23574ac002ee5ac439c4d2565b2b26f061744e2afe33
Instruction Fuzzy Hash: 78715FB2A4020AAFDF51EFA4DC45FEEBBB8BF04310F048615E914A7191D779A905CBB0

Function 0079EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(007BCC08), ref: 0079EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0079EB37
GetClipboardData.USER32(0000000D), ref: 0079EB43
CloseClipboard.USER32 ref: 0079EB4F
GlobalLock.KERNEL32(00000000), ref: 0079EB87
CloseClipboard.USER32 ref: 0079EB91
GlobalUnlock.KERNEL32(00000000), ref: 0079EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0079EBC9
GetClipboardData.USER32(00000001), ref: 0079EBD1
GlobalLock.KERNEL32(00000000), ref: 0079EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0079EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0079EC38
GetClipboardData.USER32(0000000F), ref: 0079EC44
GlobalLock.KERNEL32(00000000), ref: 0079EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0079EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0079EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0079ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0079ECF3
CountClipboardFormats.USER32 ref: 0079ED14
CloseClipboard.USER32 ref: 0079ED59

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: dd1852789a24522260d7b745c7f761e13cb24f23ef9aab3facdd0127f0f65e57
Instruction ID: c4438605e01d71875d72c5ff74942cae020d25665d46bc6de8a49e5452cc0f4b
Opcode Fuzzy Hash: dd1852789a24522260d7b745c7f761e13cb24f23ef9aab3facdd0127f0f65e57
Instruction Fuzzy Hash: DC61E174204202AFD701EF24E889F6AB7A4FF84714F08861DF496972A2DB39DD45CB62

Function 0079698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007969BE
FindClose.KERNEL32(00000000), ref: 00796A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00796A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00796A75

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00796AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00796ADF

Strings

%4d, xrefs: 00796BB1
%02d, xrefs: 00796C00, 00796C0A, 00796C5A, 00796CAA, 00796CFA, 00796D4A
%03d, xrefs: 00796DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00796B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00796B32

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: b433b74c95c71d464e88f4ad717c2211d961b6a7612e5bada2844c6cedbdc76b
Instruction ID: ca5ba2188af8f39cc5f240905f7855a4998788bd9ff42b47a945a4f0734dcb50
Opcode Fuzzy Hash: b433b74c95c71d464e88f4ad717c2211d961b6a7612e5bada2844c6cedbdc76b
Instruction Fuzzy Hash: 6DD17DB2508350AFC714EBA0D985EAFB7ECBF98704F04491DF585D6191EB38DA48CB62

Function 00799642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00799663
GetFileAttributesW.KERNEL32(?), ref: 007996A1
SetFileAttributesW.KERNEL32(?,?), ref: 007996BB
FindNextFileW.KERNEL32(00000000,?), ref: 007996D3
FindClose.KERNEL32(00000000), ref: 007996DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007996FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0079974A
SetCurrentDirectoryW.KERNEL32(007E6B7C), ref: 00799768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00799772
FindClose.KERNEL32(00000000), ref: 0079977F
FindClose.KERNEL32(00000000), ref: 0079978F

Strings

*.*, xrefs: 007996F5

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 03caa61e070da386a6d8657b923d4c8516370d07434eb9474bb783ff8699cc9c
Instruction ID: 21cee312af3148bd59469745ab4eb51600209bf1f7cf8dc403c563da9a0131e5
Opcode Fuzzy Hash: 03caa61e070da386a6d8657b923d4c8516370d07434eb9474bb783ff8699cc9c
Instruction Fuzzy Hash: 1431D5725016196BEF15EFF9EC48EDE77ACAF49320F14825AFA05E2190DB7CDD408A24

Function 0079979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 007997BE
FindNextFileW.KERNEL32(00000000,?), ref: 00799819
FindClose.KERNEL32(00000000), ref: 00799824
FindFirstFileW.KERNEL32(*.*,?), ref: 00799840
SetCurrentDirectoryW.KERNEL32(?), ref: 00799890
SetCurrentDirectoryW.KERNEL32(007E6B7C), ref: 007998AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007998B8
FindClose.KERNEL32(00000000), ref: 007998C5
FindClose.KERNEL32(00000000), ref: 007998D5

Part of subcall function 0078DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0078DB00

Strings

*.*, xrefs: 0079983B

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: f5288f6b06fe2652e6e524d5c57fd3e5c4b87fc72154f3fef429dbc7c429a1fb
Instruction ID: f48256c7f42bbc8ce0bf98e659447779cd4128925ebdc3f87f3d8b4b8adc5911
Opcode Fuzzy Hash: f5288f6b06fe2652e6e524d5c57fd3e5c4b87fc72154f3fef429dbc7c429a1fb
Instruction Fuzzy Hash: AF31D671501219ABEF11EFB9EC48EDE77ACAF0A320F14815DE910A2191DB78DD44CB24

Function 007ABE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AB6AE,?,?), ref: 007AC9B5
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007AC9F1
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA68
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007ABF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 007ABFA9
RegCloseKey.ADVAPI32(00000000), ref: 007ABFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007AC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007AC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007AC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007AC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 007AC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 007AC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007AC382
RegCloseKey.ADVAPI32(00000000), ref: 007AC38F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: be7d16c8c9107b3c85db27c24ddbb4068d6fd431c6f0bfc7ff8938c667ac356d
Instruction ID: 959b22f2c257792341d173a57a8235e0dfd0c55dc9080e1a1047300914b3a256
Opcode Fuzzy Hash: be7d16c8c9107b3c85db27c24ddbb4068d6fd431c6f0bfc7ff8938c667ac356d
Instruction Fuzzy Hash: 78023A71604200EFD715DF28C895E2ABBE5AF89308F18C59DF84A9B2A2D735EC45CB52

Function 00798195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00798257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00798267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00798273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00798310
SetCurrentDirectoryW.KERNEL32(?), ref: 00798324
SetCurrentDirectoryW.KERNEL32(?), ref: 00798356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0079838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00798395

Strings

*.*, xrefs: 0079839B

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: fb861fabdb1ef781cc6dae4e90299b4b75e4cbb04970bd3cd54cc5af5e848c33
Instruction ID: b10b9128437fd08a4d9699a412cde634a33aa0571ca4173193297e0e072a647d
Opcode Fuzzy Hash: fb861fabdb1ef781cc6dae4e90299b4b75e4cbb04970bd3cd54cc5af5e848c33
Instruction Fuzzy Hash: 86616BB25043059FCB10EF64D8459AEB3E8FF89310F04892EF989D7251EB39E945CB92

Function 0078D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00723AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00723A97,?,?,00722E7F,?,?,?,00000000), ref: 00723AC2

Part of subcall function 0078E199: GetFileAttributesW.KERNEL32(?,0078CF95), ref: 0078E19A

FindFirstFileW.KERNEL32(?,?), ref: 0078D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0078D1DD
MoveFileW.KERNEL32(?,?), ref: 0078D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0078D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0078D237

Part of subcall function 0078D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0078D21C,?,?), ref: 0078D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0078D253
FindClose.KERNEL32(00000000), ref: 0078D264

Strings

\*.*, xrefs: 0078D0CD, 0078D0D6, 0078D0EB

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: a649dbab3d0e604dfe40764f7f2c8be11d04b8afb68785ffdab89555be0717a5
Instruction ID: 8880517c6258d30ea73d3b9e99ba95dcf47fec660564fcf7c82e9f8d2ee447d6
Opcode Fuzzy Hash: a649dbab3d0e604dfe40764f7f2c8be11d04b8afb68785ffdab89555be0717a5
Instruction Fuzzy Hash: 14612831C4111DEBCF15FBA0E99A9EDB7B5AF55300F248169E40277192EB38AF09CB61

Function 0079ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0079ED91
EmptyClipboard.USER32 ref: 0079ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0079EDAC
CloseClipboard.USER32 ref: 0079EEA3

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 76085aa88b542b4204e8270459583f14b86e0644f970505a3245fec08b281553
Instruction ID: 639a9e3dd387772c823bbb8ff89cd034bdc5b5ba27cfe299efd16854346593eb
Opcode Fuzzy Hash: 76085aa88b542b4204e8270459583f14b86e0644f970505a3245fec08b281553
Instruction Fuzzy Hash: 9B419C35604611EFEB21DF15E888F2ABBE5FF44328F14C199E4158BA62C739EC42CB94

Function 0078E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0078170D
Part of subcall function 007816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0078173A
Part of subcall function 007816C3: GetLastError.KERNEL32 ref: 0078174A

ExitWindowsEx.USER32(?,00000000), ref: 0078E932

Strings

, xrefs: 0078E95C
, xrefs: 0078E920
SeShutdownPrivilege, xrefs: 0078E902
@, xrefs: 0078E925

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d019d657b5079dfb49ca17cff688f42ce30cf8f7363eaccaa8a7089cd2be61e2
Instruction ID: ee0b580b3c10167713b342f42728f0353284a0bc3f7ac4f872305736dbaf623c
Opcode Fuzzy Hash: d019d657b5079dfb49ca17cff688f42ce30cf8f7363eaccaa8a7089cd2be61e2
Instruction Fuzzy Hash: 2001F972690211ABEB6476B49C8AFBF725CAB14750F158521FC13E21E2E7ECBC4083A5

Function 007A1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007A1276
WSAGetLastError.WSOCK32 ref: 007A1283
bind.WSOCK32(00000000,?,00000010), ref: 007A12BA
WSAGetLastError.WSOCK32 ref: 007A12C5
closesocket.WSOCK32(00000000), ref: 007A12F4
listen.WSOCK32(00000000,00000005), ref: 007A1303
WSAGetLastError.WSOCK32 ref: 007A130D
closesocket.WSOCK32(00000000), ref: 007A133C

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 6edda8d26f99480c005b6a69ab0949cf9bbe2d83ca330b77b6f2e338ae55120e
Instruction ID: 49d1193f7e45db8c5d3e43bb1ccd47120ba31ac548907904658b3047ac0c9884
Opcode Fuzzy Hash: 6edda8d26f99480c005b6a69ab0949cf9bbe2d83ca330b77b6f2e338ae55120e
Instruction Fuzzy Hash: 3D4183316001109FE710DF64D588B29BBE5BF86318F58C298E8569F2D2C779ED81CBE1

Function 0078D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00723AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00723A97,?,?,00722E7F,?,?,?,00000000), ref: 00723AC2

Part of subcall function 0078E199: GetFileAttributesW.KERNEL32(?,0078CF95), ref: 0078E19A

FindFirstFileW.KERNEL32(?,?), ref: 0078D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0078D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0078D481
FindClose.KERNEL32(00000000), ref: 0078D498
FindClose.KERNEL32(00000000), ref: 0078D4A1

Strings

\*.*, xrefs: 0078D3F2

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 402f6c924f64fdbf195b31d47dfa1321afb878e6fd71fc17c584147dad2712ae
Instruction ID: b189f10d33ecf33be44552172df0165fc7de1e6610decb1c99f81eb93cd96317
Opcode Fuzzy Hash: 402f6c924f64fdbf195b31d47dfa1321afb878e6fd71fc17c584147dad2712ae
Instruction Fuzzy Hash: 3E318F71008395ABC215FF60D8559AFB7A8BE91300F448A1DF8D552191EB38AE098B63

Function 0075E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0075E645

Strings

1#IND, xrefs: 0075F83D
1#INF, xrefs: 0075F852
1#QNAN, xrefs: 0075F84B
1#SNAN, xrefs: 0075F844

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2e7192699359e16b1f8d8800399be1657a00b017f29b0a89243a74262d405cc8
Instruction ID: 2478150c2400caa2512688c3535c58e070d07e4aeab099761260f35769ff96d3
Opcode Fuzzy Hash: 2e7192699359e16b1f8d8800399be1657a00b017f29b0a89243a74262d405cc8
Instruction Fuzzy Hash: F4C26071E046288FDB69CF28DD447E9B7B5EB44306F1441EAD84DE7241E7B8AE858F40

Function 0079648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007964DC
CoInitialize.OLE32(00000000), ref: 00796639
CoCreateInstance.OLE32(007BFCF8,00000000,00000001,007BFB68,?), ref: 00796650
CoUninitialize.OLE32 ref: 007968D4

Strings

.lnk, xrefs: 007964BA, 00796524, 007965E0

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 5807e88795efce3e2894dd3c6c8151e7203a033a6d53a2bf6c8b0ce334b87891
Instruction ID: e3d5e3ff212350a04d889bafaca28abe4e0841f8978c097e30835e3e0093778e
Opcode Fuzzy Hash: 5807e88795efce3e2894dd3c6c8151e7203a033a6d53a2bf6c8b0ce334b87891
Instruction Fuzzy Hash: 64D16771508211AFC714EF24D895E6BB7E8FF98704F04492DF5958B2A1EB34ED09CBA2

Function 007A22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007A22E8

Part of subcall function 0079E4EC: GetWindowRect.USER32(?,?), ref: 0079E504

GetDesktopWindow.USER32 ref: 007A2312
GetWindowRect.USER32(00000000), ref: 007A2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 007A2355
GetCursorPos.USER32(?), ref: 007A2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007A23DF

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: c32e6eb4a576da1d72a4ffac54088f8151172a7314fe3f4d18d680d590477372
Instruction ID: 097ca024150b0b18ccc1f96dc77f1d67b3851a5f4849f48660757b56db3f1018
Opcode Fuzzy Hash: c32e6eb4a576da1d72a4ffac54088f8151172a7314fe3f4d18d680d590477372
Instruction Fuzzy Hash: 0631E272504315AFCB21DF18C849F5BB7A9FFC6314F004A19F98597192DB38E909CB96

Function 00799B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00799B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00799C8B

Part of subcall function 00793874: GetInputState.USER32 ref: 007938CB
Part of subcall function 00793874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00793966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00799BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00799C75

Strings

*.*, xrefs: 00799B5D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 69208f7a08f0951c43414a9d637ff7c7a4f156f78d27bc6eb0f548311930bcc8
Instruction ID: d08f2ebce0fe05c58e8b46225dd0c91418498e8bd6043f1c73b5bd39158e37c4
Opcode Fuzzy Hash: 69208f7a08f0951c43414a9d637ff7c7a4f156f78d27bc6eb0f548311930bcc8
Instruction Fuzzy Hash: 40414FB190461ADBDF15DF68DC49AEEBBB8EF05310F24815AE505A2191DB389E44CB60

Function 0073997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00739A4E
GetSysColor.USER32(0000000F), ref: 00739B23
SetBkColor.GDI32(?,00000000), ref: 00739B36

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 7b74c25605d1a36fe4fcbf1eb41f91f1d72c38befa90153df6bdae8fce1c800e
Instruction ID: a0c2dff73acac03b0f77e3b9a2081203d8e53b415a43659bf1812bb2cff71e55
Opcode Fuzzy Hash: 7b74c25605d1a36fe4fcbf1eb41f91f1d72c38befa90153df6bdae8fce1c800e
Instruction Fuzzy Hash: B5A11BB1108444FEFB2D9A3D8C9DEBB265DDB42390F15C209F312C6697CAAD9D01C2B6

Function 007A1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007A304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007A307A
Part of subcall function 007A304E: _wcslen.LIBCMT ref: 007A309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 007A185D
WSAGetLastError.WSOCK32 ref: 007A1884
bind.WSOCK32(00000000,?,00000010), ref: 007A18DB
WSAGetLastError.WSOCK32 ref: 007A18E6
closesocket.WSOCK32(00000000), ref: 007A1915

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 6943bcd9b54120e02c507cc2fd32911740c249508aecf2d6a06da1f87074af05
Instruction ID: 838f7cd27a4fa760258ac1157dbb02168984bec1dccc036f989ef74adae8f4c4
Opcode Fuzzy Hash: 6943bcd9b54120e02c507cc2fd32911740c249508aecf2d6a06da1f87074af05
Instruction Fuzzy Hash: 3951B371A002109FE710AF24D88AF2A77E5AB89718F48C158F9055F3C3C779AD41CBE1

Function 007B1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007B1CC0
IsWindowEnabled.USER32 ref: 007B1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 007B1CDB
IsIconic.USER32 ref: 007B1CE9
IsZoomed.USER32 ref: 007B1CF7

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 07a34d8db7631740e09cbe9c444a88979f8191bafa4465d21d4802e5350b2726
Instruction ID: dcc4bca1376b10d6e5072f6ce361db21acfd74a644d6790de928d3478abd77d1
Opcode Fuzzy Hash: 07a34d8db7631740e09cbe9c444a88979f8191bafa4465d21d4802e5350b2726
Instruction Fuzzy Hash: CC21D6317402109FD7218F1AC868FAA7FA5EF95314F99C058E845CB351DB79DC42CBA4

Function 00728060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00765DF0
ERCP, xrefs: 0072813C
VUUU, xrefs: 0072843C
VUUU, xrefs: 007283E8
VUUU, xrefs: 007283FA

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: f20a6a66615cb74623dda34b1624a8e783ff0f9abaa38804de17055287aa7200
Instruction ID: af313c0fcb9a8b0994209e0ad0032b4620686e192b53088a92af6412df0dfa81
Opcode Fuzzy Hash: f20a6a66615cb74623dda34b1624a8e783ff0f9abaa38804de17055287aa7200
Instruction Fuzzy Hash: 42A28F70E0122ACBDF64CF58D8407ADB7B1BF54310F6481AADC16A7385EB399D81DB91

Function 00788298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007882AA

Strings

|, xrefs: 007882DA
(, xrefs: 007882F0
tb~, xrefs: 007884F4

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb~$|
API String ID: 1659193697-2521436105
Opcode ID: bf86b13cc168af022c73ce4e54ca467b076561ea0f27968db52019df25a4bdb9
Instruction ID: 6c08e91f643e30667230034066238f9bb9ec6cae92b5f130402f153a4fb9f427
Opcode Fuzzy Hash: bf86b13cc168af022c73ce4e54ca467b076561ea0f27968db52019df25a4bdb9
Instruction Fuzzy Hash: 3C324574A00605DFCB68DF59C080A6AB7F0FF48710B51C56EE49ADB7A1EB74E981CB40

Function 0078AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0078AAAC
SetKeyboardState.USER32(00000080), ref: 0078AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0078AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0078AB88

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 816b85097dda6aa515cf1910af49866dbc8348aae945fdde76611e842ad32a45
Instruction ID: eb7e5913cb1f724e8359a89c218ab22230c6a6be9024d861cae5e3d76db74b4b
Opcode Fuzzy Hash: 816b85097dda6aa515cf1910af49866dbc8348aae945fdde76611e842ad32a45
Instruction Fuzzy Hash: 1231F8B0AC0248BEFF35AA648C05BFA7FA6AB44310F04821BF581965D1D37D8981C766

Function 0075BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0075BB7F

Part of subcall function 007529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000), ref: 007529DE
Part of subcall function 007529C8: GetLastError.KERNEL32(00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000,00000000), ref: 007529F0

GetTimeZoneInformation.KERNEL32 ref: 0075BB91
WideCharToMultiByte.KERNEL32(00000000,?,007F121C,000000FF,?,0000003F,?,?), ref: 0075BC09
WideCharToMultiByte.KERNEL32(00000000,?,007F1270,000000FF,?,0000003F,?,?,?,007F121C,000000FF,?,0000003F,?,?), ref: 0075BC36

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 3cf33f03f03cb3b702ea5f0bc282ba8da4a1db4d1afcda6c166b788bbd179780
Instruction ID: 6e5050a42514e34b40d5d7b02e472d90a89a41820e48ca99c2fe3cbef8d52f68
Opcode Fuzzy Hash: 3cf33f03f03cb3b702ea5f0bc282ba8da4a1db4d1afcda6c166b788bbd179780
Instruction Fuzzy Hash: 2231C670A04205DFCB11DFA9DC809BDBBB8FF45351B54826AE850E72B1D7B89D05CB64

Function 0079CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0079CE89
GetLastError.KERNEL32(?,00000000), ref: 0079CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0079CEFE

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 5ace0a5dd490223abd024d0ceb1aa88e18f8fbf413c157b41e78b356bf2e602b
Instruction ID: 646b5deaa7fe9491cec19df4627f127704c76a2aab369d18d06a2bc0d4d81486
Opcode Fuzzy Hash: 5ace0a5dd490223abd024d0ceb1aa88e18f8fbf413c157b41e78b356bf2e602b
Instruction Fuzzy Hash: CD21BAB2500705ABEF22CFA5E948BA6B7F8EB50354F10842EE546D2151E778EE048B64

Function 00795C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00795CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00795D17
FindClose.KERNEL32(?), ref: 00795D5F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 6da5054452da60b7d6f4d146fc627b6399cb1b622b26d8f983d376187a7f319e
Instruction ID: 243740f4c91d7dca967977403e3248ff25a6cbda361a25c7d0f715699bf7b39e
Opcode Fuzzy Hash: 6da5054452da60b7d6f4d146fc627b6399cb1b622b26d8f983d376187a7f319e
Instruction Fuzzy Hash: B6519A75604A11DFCB15CF28E498E9AB7E4FF09314F14855EE95A8B3A2CB38EC04CB91

Function 00752622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0075271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00752724
UnhandledExceptionFilter.KERNEL32(?), ref: 00752731

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6333fb0212086040a00f2cc20e64c12dd96019aed935608089e5c6cf05f7413d
Instruction ID: e986e7090e366332569026321a389fcb1f126a986349fa2cef03d40109e656c6
Opcode Fuzzy Hash: 6333fb0212086040a00f2cc20e64c12dd96019aed935608089e5c6cf05f7413d
Instruction Fuzzy Hash: CA31D7749112189BCB21DF64DC88BDCBBB8AF08310F5081DAE90CA7261E7749F858F85

Function 007951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007951DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00795238
SetErrorMode.KERNEL32(00000000), ref: 007952A1

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f64b5e25778cc7b9a4c8daa9f151959cc0f8dda0a28efa60e8e40efe4d771f61
Instruction ID: 63e75fe7ab4f26b1878bbd5869afc91e72d2020f3e3e0551fa5ada25795b1253
Opcode Fuzzy Hash: f64b5e25778cc7b9a4c8daa9f151959cc0f8dda0a28efa60e8e40efe4d771f61
Instruction Fuzzy Hash: 61315E75A00518DFDB01DF54D888FADBBB5FF48314F088099E805AB3A2DB39E855CB90

Function 007816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0073FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00740668
Part of subcall function 0073FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00740685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0078170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0078173A
GetLastError.KERNEL32 ref: 0078174A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: a05c7656d397693724b88e2a1f8563e27d03fa27fb847b49c37e01703855d0dd
Instruction ID: dc2764cbec5f097c7e8644dba00fee147e98290c4b944fcc7f5a2b3312f6c746
Opcode Fuzzy Hash: a05c7656d397693724b88e2a1f8563e27d03fa27fb847b49c37e01703855d0dd
Instruction Fuzzy Hash: C611C1B2910304AFE718AF54DC8AE6AB7BDEF44754B20C52EF05653241EB74BC428B24

Function 0078D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0078D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0078D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0078D650

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 95ab950d0e953bcfbcf2bd6467f36e1aa545fdd3e62aa5d7d6eeacdb65862a36
Instruction ID: 48d689aca92df759344ecd2ca20fd807e1fb697c511932f47c10bec2a4b16d1f
Opcode Fuzzy Hash: 95ab950d0e953bcfbcf2bd6467f36e1aa545fdd3e62aa5d7d6eeacdb65862a36
Instruction Fuzzy Hash: 7D118E71E05228BFDB208F98EC44FAFBBBCEB45B50F108121F904E7290D2744E018BA1

Function 00781663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0078168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007816A1
FreeSid.ADVAPI32(?), ref: 007816B1

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 4d069e1de398c7a1fbc616e2edd21329417aae0402294b4c34d2b2887374670a
Instruction ID: 2049e8a2d95439dc5693051186badbde66f1e28f2f643f3bdabd34217b6f1556
Opcode Fuzzy Hash: 4d069e1de398c7a1fbc616e2edd21329417aae0402294b4c34d2b2887374670a
Instruction Fuzzy Hash: 96F0F971950309FBDB00DFE49C89EAEBBBCFB04604F508565E501E2181E774AA448B54

Function 0077D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0077D28C

Strings

X64, xrefs: 0077D2A8

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: e995d0f10e24d725868f0ae9f196bd22b9d8adf46856d78a600f1b6e2126d66e
Instruction ID: 3db44e3d7d2b5956dd2066069acc7073982f9f31d23ce6681d4f2ec00e4ffa6c
Opcode Fuzzy Hash: e995d0f10e24d725868f0ae9f196bd22b9d8adf46856d78a600f1b6e2126d66e
Instruction Fuzzy Hash: 3FD0C9B480111DEBCFA4DB90EC88DDDB37CBB04345F108252F506A2000DB7899498F10

Function 0074CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 666869d21be1a20637665201f9c2d00282ae92fcb63e1fdb710b4ba707bb2db9
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: D5024D72E012299FDF55CFA9C8806ADFBF1EF48314F258169D919E7380D734AA41CB90

Function 007968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00796918
FindClose.KERNEL32(00000000), ref: 00796961

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 19bd2132c21cd531e75bb29fd9dafe56d02d0c1281abbbe4afb038c4635f5f66
Instruction ID: 848903037ac7f17d1e73b70e0abe907dae1db8ab4f5ec9b1df36810e383335e5
Opcode Fuzzy Hash: 19bd2132c21cd531e75bb29fd9dafe56d02d0c1281abbbe4afb038c4635f5f66
Instruction Fuzzy Hash: 551193716046109FDB10DF29D488A16BBE5FF89328F14C69DE4698F6A2C734EC05CB91

Function 007937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,007A4891,?,?,00000035,?), ref: 007937E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,007A4891,?,?,00000035,?), ref: 007937F4

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c472490ba1bb4f952266bb727d26925018600f767a042951794ea38fd64491af
Instruction ID: 14d6aa6a177272330a4d266d94bd68d7202ca9ad3a3abe1b5a11271d6c15b2a1
Opcode Fuzzy Hash: c472490ba1bb4f952266bb727d26925018600f767a042951794ea38fd64491af
Instruction Fuzzy Hash: 5EF0E5B06052286AEB2017B69C8DFEB3AAEEFC4761F004265F509D2291D9749944C6B0

Function 0078B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0078B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0078B270

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: a86689f8a26fe22b0f6ca4a8f936945bb3ddc364aef6dba1be9492eeb17823a1
Instruction ID: de0ebf2ea54612b13143e0f2286f36c32a79c4346424897dd37e9fafa41f6eca
Opcode Fuzzy Hash: a86689f8a26fe22b0f6ca4a8f936945bb3ddc364aef6dba1be9492eeb17823a1
Instruction Fuzzy Hash: 1DF01D7184424DABDB159FA4C805BEE7BB4FF08305F10C019F955A5191C77D96119F98

Function 007810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007811FC), ref: 007810D4
CloseHandle.KERNEL32(?,?,007811FC), ref: 007810E9

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a1244a9b99bc4a480de97c45f98de234031019c754f08e1b4537f94b84c2c8f4
Instruction ID: 9711dd500a4275dd5c424b79cd38cf3c9a738e7406b4743cb7117ef8916a122c
Opcode Fuzzy Hash: a1244a9b99bc4a480de97c45f98de234031019c754f08e1b4537f94b84c2c8f4
Instruction Fuzzy Hash: F4E01A32418600EEF7262B11FC09E7377A9EB04310F10C92DF4A5804B1DA666C909B54

Function 0072CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00770C40

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 8b4d7007cd58b5d5fdd8d613c5851c0d8aa9d1fa282c4b862a708ce893e2d620
Instruction ID: 767e8d78102283a825e3b44303155aae8f5775dea1ecd4552051abc0dff8afce
Opcode Fuzzy Hash: 8b4d7007cd58b5d5fdd8d613c5851c0d8aa9d1fa282c4b862a708ce893e2d620
Instruction Fuzzy Hash: E832CF70A00228DFDF15DF90E985AEDB7B5FF15344F148059E80AAB292C77DAE45CBA0

Function 0075676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00756766,?,?,00000008,?,?,0075FEFE,00000000), ref: 00756998

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 2eb21259c349a01977b90e2985cc753be775a352dd065aeec83f117e58fcd6ac
Instruction ID: b61aa611b9341cc6dc50e8837ad785e0643028e0abb3a94879216add429bb80d
Opcode Fuzzy Hash: 2eb21259c349a01977b90e2985cc753be775a352dd065aeec83f117e58fcd6ac
Instruction Fuzzy Hash: C0B15A316106089FD715CF28C48ABA47BA0FF05366F65C658E899CF2A2C779E989CB40

Function 0073B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0077851F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 424e2a9e985432672899556e67d3f71ae381eb8f714f46759166dcdcccc237bb
Instruction ID: 7cb43d43e642971df5c973f34b03d44aa4b36fb5b5a313e2923c0552ec0d4b32
Opcode Fuzzy Hash: 424e2a9e985432672899556e67d3f71ae381eb8f714f46759166dcdcccc237bb
Instruction Fuzzy Hash: 49126071900229DBDF54CF58C8857EEB7B5FF48310F14819AE949EB252EB389A81CB91

Function 0079EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0079EABD

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fdb807d5a8188c6cfba06eeaf07be5154ad325400adf1291606ef20e05bb1001
Instruction ID: 0e462d36e2c0c5a3a0b0a65ed104f2c21d5eaf1fc1272741dc31097323271d68
Opcode Fuzzy Hash: fdb807d5a8188c6cfba06eeaf07be5154ad325400adf1291606ef20e05bb1001
Instruction Fuzzy Hash: B0E048312002149FD710DF59E404E5AF7D9EF58760F04C416FC45C7361D774E8418B90

Function 007409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007403EE), ref: 007409DA

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ccf1d5320391fff2c61cc9659056aba368f6be25a446189441d28fb75375da43
Instruction ID: 29fe2376ac5792f278a8671674742071707236a63d6550adbde7fba0851e7ba7
Opcode Fuzzy Hash: ccf1d5320391fff2c61cc9659056aba368f6be25a446189441d28fb75375da43
Instruction Fuzzy Hash:

Function 0074781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0074798B

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 637fe3c72124a291d423546a6128a6370a1ca75ba874acdd4331d16c018a3f52
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: CC51797160C7499BDF3C8978889EBBF639D9B12340F184919D882DB282CB1DFE45D356

Function 00756DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3494343bd8239e1f70aa5c927ecf6be87ce756aef31565cc48dd4865bd391f3b
Instruction ID: a415ede6cac3a46892aee063550fefa7c619cf99ab7b31ecec1bf598f97a3132
Opcode Fuzzy Hash: 3494343bd8239e1f70aa5c927ecf6be87ce756aef31565cc48dd4865bd391f3b
Instruction Fuzzy Hash: 74321221D29F414DD7279634D8223356389AFB73C6F14D73BE81AB59AAEF6DC4838100

Function 0073CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597ee76bf5ec47bbfd97f4c68dd32d807a7c3346afa635cb6a79226257d89c55
Instruction ID: 6f515a338d2267f7d597d79bc806a1d0c3b33be1e35ad3129c9e214a9cfdf1bf
Opcode Fuzzy Hash: 597ee76bf5ec47bbfd97f4c68dd32d807a7c3346afa635cb6a79226257d89c55
Instruction Fuzzy Hash: 41321531A001458BDF2ACE28C4D467D77A1EB4D380F29D56ED88EDB292E63CDD82DB51

Function 00727920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7d81ad36a892542ede73f8b5d1595467841c56c4c3c41506b5e083fb9708d0
Instruction ID: 98899d52edc8e497fca9dca294a1646098ae47b58eaf3c650752b48f6199326e
Opcode Fuzzy Hash: 5b7d81ad36a892542ede73f8b5d1595467841c56c4c3c41506b5e083fb9708d0
Instruction Fuzzy Hash: AB22E3B0A0061ADFDF14CF69D985AAEB7F6FF44300F144529E812AB291EB3DAD14DB50

Function 007291C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea9d3908876abb68b7d75d5a28cae5d1c8434ab1c076af2c55e8cdca7c8dcde
Instruction ID: 7ffc1f8f5f6525b791ac1bd4e4cee6d44fb0ef5d467fa13141038f1ff056c1c7
Opcode Fuzzy Hash: 9ea9d3908876abb68b7d75d5a28cae5d1c8434ab1c076af2c55e8cdca7c8dcde
Instruction Fuzzy Hash: BF02C7B1E00215EFDF04DF64D885AAEB7B1FF44340F148169E916DB291EB39AE20CB95

Function 00759EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1838b5ec90da44c046c66e51190e9b6a3c4eaca2effb09fab5cd1945e3f0e224
Instruction ID: a5f6ba3a7710a37d83f85246b9e7162b00965180542cb4761a23ee0b5722a87d
Opcode Fuzzy Hash: 1838b5ec90da44c046c66e51190e9b6a3c4eaca2effb09fab5cd1945e3f0e224
Instruction Fuzzy Hash: 1BB11220D2AF814DD32396398831336B75CAFBB6D5F91D31BFC2674D22EB2A86834144

Function 00741C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 60f0dccfe692bfaa53e8eb65a2d17a30e73618a4e8c347e4f36a9fcefb793ece
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 98918A726090E34ADB2D563E857403EFFE15A923A235A079DD4F2CB1C5FF28D994DA20

Function 00741F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 47a4332a44819fdae05e6094677c3255cac54be8daddf6ad1c25ab3e52ae5f13
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 179178722090E349DB6D4239857403EFFE15A923A135A079DF4F2CB1D6EF28D9A9D620

Function 007419B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1a4b742814bff77ab45cfb4b086892dbc7556aac039a76b687b82141c6e4aa92
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 139165722090E34EDB2D567A857403EFFE19A923A135A479ED4F2CA1C1FF28D5D4D620

Function 00747A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab067fe42e69452b9097b0ee81d0046e4b5d87c138194fd95e2a8b2745782a7c
Instruction ID: 408f96699d0d55f3c1d4ffdb98f95bc77a2ab12cb66f5430751bc3d2bd621174
Opcode Fuzzy Hash: ab067fe42e69452b9097b0ee81d0046e4b5d87c138194fd95e2a8b2745782a7c
Instruction Fuzzy Hash: 15617CF170874996DE3C9A2C8D99BBE2399DF41700F14891DE983DB281D71D9E42C3A6

Function 00747CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ff4841a90a7641bf14d5bd438e224fee44c44b8c13b6cff2d8a4dde6720b4a
Instruction ID: 82561ea852da12286ba108ac04b82ada60b82d0e9635c79ba1bad4d79df0b7bb
Opcode Fuzzy Hash: 52ff4841a90a7641bf14d5bd438e224fee44c44b8c13b6cff2d8a4dde6720b4a
Instruction Fuzzy Hash: 0C617B31B18759E7DE3C5A284D95BBF2388DF42704F100A59E943DF281D71EAD42CA56

Function 00741706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: d02ae38109cf96b21f5d245c01553272d954f8cfbdacf00fe5c72dc8fb5212cf
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 468184326080E34EDB6E923A853403EFFE15A923B135A079DD4F2CB1C1EF28D594E620

Function 00792046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f7543ff1e3034d448f0998cd9e7559608e2d084a69f2bb6018833f64cd94a4
Instruction ID: e0ee46a7af63e2c752ba9679098de9970d7839ec4e238ae77b2c95ca023344dc
Opcode Fuzzy Hash: 67f7543ff1e3034d448f0998cd9e7559608e2d084a69f2bb6018833f64cd94a4
Instruction Fuzzy Hash: 7821A5326206158BDB28CF79D82367E73E5A754320F15862EE4A7C37D1DE39A905CB84

Function 007A2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007A2B30
DeleteObject.GDI32(00000000), ref: 007A2B43
DestroyWindow.USER32 ref: 007A2B52
GetDesktopWindow.USER32 ref: 007A2B6D
GetWindowRect.USER32(00000000), ref: 007A2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 007A2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 007A2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2CF8
GetClientRect.USER32(00000000,?), ref: 007A2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007A2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2D80
GlobalLock.KERNEL32(00000000), ref: 007A2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2D98
GlobalUnlock.KERNEL32(00000000), ref: 007A2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2DA8
GlobalFree.KERNEL32(00000000), ref: 007A2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,007BFC38,00000000), ref: 007A2DDB
GlobalFree.KERNEL32(00000000), ref: 007A2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 007A2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 007A2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007A303F

Strings

AutoIt v3, xrefs: 007A2CF2
, xrefs: 007A2FC5
static, xrefs: 007A2D3A, 007A2E91
DISPLAY, xrefs: 007A2EA2

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 06a580c5971601d1d79896dfb4bec445bafbb78f555a3222789097665181a39d
Instruction ID: 72f42631053a80df1efeaff4fe14c527aae98cf4657e9864a03ff8d3e36e69aa
Opcode Fuzzy Hash: 06a580c5971601d1d79896dfb4bec445bafbb78f555a3222789097665181a39d
Instruction Fuzzy Hash: 69025C71500219EFDB15DF68CC89EAE7BB9FF49710F008258F915AB2A1DB78AD01CB64

Function 007B70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007B712F
GetSysColorBrush.USER32(0000000F), ref: 007B7160
GetSysColor.USER32(0000000F), ref: 007B716C
SetBkColor.GDI32(?,000000FF), ref: 007B7186
SelectObject.GDI32(?,?), ref: 007B7195
InflateRect.USER32(?,000000FF,000000FF), ref: 007B71C0
GetSysColor.USER32(00000010), ref: 007B71C8
CreateSolidBrush.GDI32(00000000), ref: 007B71CF
FrameRect.USER32(?,?,00000000), ref: 007B71DE
DeleteObject.GDI32(00000000), ref: 007B71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 007B7230
FillRect.USER32(?,?,?), ref: 007B7262
GetWindowLongW.USER32(?,000000F0), ref: 007B7284

Part of subcall function 007B73E8: GetSysColor.USER32(00000012), ref: 007B7421
Part of subcall function 007B73E8: SetTextColor.GDI32(?,?), ref: 007B7425
Part of subcall function 007B73E8: GetSysColorBrush.USER32(0000000F), ref: 007B743B
Part of subcall function 007B73E8: GetSysColor.USER32(0000000F), ref: 007B7446
Part of subcall function 007B73E8: GetSysColor.USER32(00000011), ref: 007B7463
Part of subcall function 007B73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007B7471
Part of subcall function 007B73E8: SelectObject.GDI32(?,00000000), ref: 007B7482
Part of subcall function 007B73E8: SetBkColor.GDI32(?,00000000), ref: 007B748B
Part of subcall function 007B73E8: SelectObject.GDI32(?,?), ref: 007B7498
Part of subcall function 007B73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007B74B7
Part of subcall function 007B73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007B74CE
Part of subcall function 007B73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007B74DB

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 181a36deba66caec2556807751a32fb2e8da82d23b74301a699963b5eb488b11
Instruction ID: 33144d3114ddf1052657c67df1e470e9487b8ab0e7ef4be054dbd2aa5779990f
Opcode Fuzzy Hash: 181a36deba66caec2556807751a32fb2e8da82d23b74301a699963b5eb488b11
Instruction Fuzzy Hash: 25A19F72008305EFD7159F64DC48F9B7BA9FF88320F108B19F9A2A61A1D739E944CB65

Function 00738D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00738E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00776AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00776AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00776F43

Part of subcall function 00738F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00738BE8,?,00000000,?,?,?,?,00738BBA,00000000,?), ref: 00738FC5

SendMessageW.USER32(?,00001053), ref: 00776F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00776F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00776FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00776FB7

Strings

0, xrefs: 00776DCF

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: e0742ca5e2a692638711361f0a68d53b43e58c39436c63067d67fda6968fc5a6
Instruction ID: 5ee095da5adf49f5063edf0bd45c74d319e0a758161bb6ad21c6c78857131196
Opcode Fuzzy Hash: e0742ca5e2a692638711361f0a68d53b43e58c39436c63067d67fda6968fc5a6
Instruction Fuzzy Hash: 7E12AD30200641DFDB25CF24C848BB6BBA5FB45340F54C5A9F489CB266CB79EC51DBA6

Function 007A2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007A273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007A286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007A28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007A28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 007A2900
GetClientRect.USER32(00000000,?), ref: 007A290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 007A2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007A2964
GetStockObject.GDI32(00000011), ref: 007A2974
SelectObject.GDI32(00000000,00000000), ref: 007A2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 007A2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007A2991
DeleteDC.GDI32(00000000), ref: 007A299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007A29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007A29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 007A2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007A2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 007A2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 007A2A77
GetStockObject.GDI32(00000011), ref: 007A2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007A2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 007A2A97

Strings

AutoIt v3, xrefs: 007A28F8
static, xrefs: 007A294F, 007A2A71
msctls_progress32, xrefs: 007A2A13
DISPLAY, xrefs: 007A295A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 4af45f38d3a1c0bfb70c2df52cf66dad29d6b5002c31d7cf3424c2447dcbcf3e
Instruction ID: ca99f011eed4761d9fcd9b6dd7eea49b7ee804ca3b9f4f9c6ce87028c7a37991
Opcode Fuzzy Hash: 4af45f38d3a1c0bfb70c2df52cf66dad29d6b5002c31d7cf3424c2447dcbcf3e
Instruction Fuzzy Hash: 20B14DB1A00219AFEB14DF69DC49FAE7BA9EF49710F008214F915EB291D778ED40CB64

Function 00794ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00794AED
GetDriveTypeW.KERNEL32(?,007BCB68,?,\\.\,007BCC08), ref: 00794BCA
SetErrorMode.KERNEL32(00000000,007BCB68,?,\\.\,007BCC08), ref: 00794D36

Strings

SSA, xrefs: 00794CA6
\\.\, xrefs: 00794B3F
ATAPI, xrefs: 00794C91
CDROM, xrefs: 00794BFB
SAS, xrefs: 00794CC9
Removable, xrefs: 00794C10, 00794C15
iSCSI, xrefs: 00794CC2
SATA, xrefs: 00794CD0
Virtual, xrefs: 00794CE5
SCSI, xrefs: 00794C8A
RAMDisk, xrefs: 00794BF4
USB, xrefs: 00794CB4
Unknown, xrefs: 00794BED, 00794C83
Fixed, xrefs: 00794C09
Fibre, xrefs: 00794CAD
ATA, xrefs: 00794C98
SSD, xrefs: 00794C4A
PhysicalDrive, xrefs: 00794B76
RAID, xrefs: 00794CBB
1394, xrefs: 00794C9F
MMC, xrefs: 00794CDE
Network, xrefs: 00794C02
FileBackedVirtual, xrefs: 00794CEC

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: df6dcdfe54598140826b9d83ef977da784b4d7af2fffa9b73c2b9a50f7634366
Instruction ID: 76b744ce3e481f11c768785e159aee9edd7e552a4fe3622293eb1efee69f5c9a
Opcode Fuzzy Hash: df6dcdfe54598140826b9d83ef977da784b4d7af2fffa9b73c2b9a50f7634366
Instruction Fuzzy Hash: 4061F470706149DFCF04DF25EA96D6CB7F1AB19380B248065F806AB291DB3DED42DB61

Function 007B73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007B7421
SetTextColor.GDI32(?,?), ref: 007B7425
GetSysColorBrush.USER32(0000000F), ref: 007B743B
GetSysColor.USER32(0000000F), ref: 007B7446
CreateSolidBrush.GDI32(?), ref: 007B744B
GetSysColor.USER32(00000011), ref: 007B7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007B7471
SelectObject.GDI32(?,00000000), ref: 007B7482
SetBkColor.GDI32(?,00000000), ref: 007B748B
SelectObject.GDI32(?,?), ref: 007B7498
InflateRect.USER32(?,000000FF,000000FF), ref: 007B74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007B74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007B74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007B752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007B7554
InflateRect.USER32(?,000000FD,000000FD), ref: 007B7572
DrawFocusRect.USER32(?,?), ref: 007B757D
GetSysColor.USER32(00000011), ref: 007B758E
SetTextColor.GDI32(?,00000000), ref: 007B7596
DrawTextW.USER32(?,007B70F5,000000FF,?,00000000), ref: 007B75A8
SelectObject.GDI32(?,?), ref: 007B75BF
DeleteObject.GDI32(?), ref: 007B75CA
SelectObject.GDI32(?,?), ref: 007B75D0
DeleteObject.GDI32(?), ref: 007B75D5
SetTextColor.GDI32(?,?), ref: 007B75DB
SetBkColor.GDI32(?,?), ref: 007B75E5

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 35e358f236784cf6154fa9bb64e00307aa142e9f9b3f20c0a16126a4ba92759b
Instruction ID: e84a6f5ce9bc4135c4d21a71b58498c49d3a40ea4e300591bf8e8d1f7457661a
Opcode Fuzzy Hash: 35e358f236784cf6154fa9bb64e00307aa142e9f9b3f20c0a16126a4ba92759b
Instruction Fuzzy Hash: 6C616F72904218AFDB159FA8DC49FEE7F79EF48320F108215F911BB2A1D7789940CBA0

Function 007B0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007B1128
GetDesktopWindow.USER32 ref: 007B113D
GetWindowRect.USER32(00000000), ref: 007B1144
GetWindowLongW.USER32(?,000000F0), ref: 007B1199
DestroyWindow.USER32(?), ref: 007B11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007B11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007B120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007B121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 007B1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 007B1245
IsWindowVisible.USER32(00000000), ref: 007B12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007B12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007B12D0
GetWindowRect.USER32(00000000,?), ref: 007B12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 007B130E
GetMonitorInfoW.USER32(00000000,?), ref: 007B1328
CopyRect.USER32(?,?), ref: 007B133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007B13AA

Strings

(, xrefs: 007B131B
tooltips_class32, xrefs: 007B11E6
0, xrefs: 007B10D3

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9c1f8ba366ac6b2cfe0192a235d3561d784ab77d496fc70330b7c4560fd1130e
Instruction ID: 4bfbe778fd1b89862685aea8cb0ab30c29ed8223fb6d34f325a778d4954dafa5
Opcode Fuzzy Hash: 9c1f8ba366ac6b2cfe0192a235d3561d784ab77d496fc70330b7c4560fd1130e
Instruction Fuzzy Hash: 77B18B71604351AFD714DF64C898FAABBE4FF88344F80891CF9999B2A1D735E844CB92

Function 00738891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00738968
GetSystemMetrics.USER32(00000007), ref: 00738970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0073899B
GetSystemMetrics.USER32(00000008), ref: 007389A3
GetSystemMetrics.USER32(00000004), ref: 007389C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007389E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007389F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00738A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00738A3C
GetClientRect.USER32(00000000,000000FF), ref: 00738A5A
GetStockObject.GDI32(00000011), ref: 00738A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00738A81

Part of subcall function 0073912D: GetCursorPos.USER32(?), ref: 00739141
Part of subcall function 0073912D: ScreenToClient.USER32(00000000,?), ref: 0073915E
Part of subcall function 0073912D: GetAsyncKeyState.USER32(00000001), ref: 00739183
Part of subcall function 0073912D: GetAsyncKeyState.USER32(00000002), ref: 0073919D

SetTimer.USER32(00000000,00000000,00000028,007390FC), ref: 00738AA8

Strings

AutoIt v3 GUI, xrefs: 00738A20

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 31ea6b409900bc516f1d10fff308eceacacf0f8b3e2aebe469a37b73b8126fca
Instruction ID: 7e1388a18b031cb0a653e78bf9ef5ad7ad2ef9a8cabbad51797910096f22ac8a
Opcode Fuzzy Hash: 31ea6b409900bc516f1d10fff308eceacacf0f8b3e2aebe469a37b73b8126fca
Instruction Fuzzy Hash: 4BB16C75A00209DFDF14DFA8CD49FAE3BB5FB48354F108229FA15AB294DB78A840CB55

Function 00780D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00781114
Part of subcall function 007810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 00781120
Part of subcall function 007810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 0078112F
Part of subcall function 007810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 00781136
Part of subcall function 007810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0078114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00780DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00780E29
GetLengthSid.ADVAPI32(?), ref: 00780E40
GetAce.ADVAPI32(?,00000000,?), ref: 00780E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00780E96
GetLengthSid.ADVAPI32(?), ref: 00780EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00780EB5
HeapAlloc.KERNEL32(00000000), ref: 00780EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00780EDD
CopySid.ADVAPI32(00000000), ref: 00780EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00780F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00780F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00780F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00780F6E
HeapFree.KERNEL32(00000000), ref: 00780F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00780F7E
HeapFree.KERNEL32(00000000), ref: 00780F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00780F8E
HeapFree.KERNEL32(00000000), ref: 00780F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00780FA1
HeapFree.KERNEL32(00000000), ref: 00780FA8

Part of subcall function 00781193: GetProcessHeap.KERNEL32(00000008,00780BB1,?,00000000,?,00780BB1,?), ref: 007811A1
Part of subcall function 00781193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00780BB1,?), ref: 007811A8
Part of subcall function 00781193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00780BB1,?), ref: 007811B7

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 200c58db37e655a9d70dc05cece1813c45f181940686bc489458bf7f1d7358d0
Instruction ID: cc3886ecf07f678b3c4822f9ca829036eeac60e4bb77994ffb4c08ed0de96001
Opcode Fuzzy Hash: 200c58db37e655a9d70dc05cece1813c45f181940686bc489458bf7f1d7358d0
Instruction Fuzzy Hash: 7671507194020AEBDF61AFA5DC49FAEBBB8BF04340F04C215FA15E6151D7399A09CBA0

Function 007AC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007AC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,007BCC08,00000000,?,00000000,?,?), ref: 007AC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 007AC5A4
_wcslen.LIBCMT ref: 007AC5F4
_wcslen.LIBCMT ref: 007AC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 007AC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 007AC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 007AC84D
RegCloseKey.ADVAPI32(?), ref: 007AC881
RegCloseKey.ADVAPI32(00000000), ref: 007AC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 007AC960

Strings

REG_EXPAND_SZ, xrefs: 007AC5CD
REG_QWORD, xrefs: 007AC8C3
REG_SZ, xrefs: 007AC644
REG_DWORD, xrefs: 007AC804
REG_MULTI_SZ, xrefs: 007AC6F5
REG_BINARY, xrefs: 007AC913

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e281de31bbff4e0ac6f30a7101b56cce9631d05acc1d5069392b2597877f1c09
Instruction ID: 4c8e2799fb696e268cb70730a2744a8ea0d5203dcffcbcde270ac71675761c61
Opcode Fuzzy Hash: e281de31bbff4e0ac6f30a7101b56cce9631d05acc1d5069392b2597877f1c09
Instruction Fuzzy Hash: CF126735604210EFD715DF14D885A2AB7E5FF89714F08899CF88A9B3A2DB39EC41CB81

Function 007B091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007B09C6
_wcslen.LIBCMT ref: 007B0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007B0A54
_wcslen.LIBCMT ref: 007B0A8A
_wcslen.LIBCMT ref: 007B0B06
_wcslen.LIBCMT ref: 007B0B81

Part of subcall function 0073F9F2: _wcslen.LIBCMT ref: 0073F9FD

Part of subcall function 00782BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00782BFA

Strings

ISCHECKED, xrefs: 007B0CE1
EXISTS, xrefs: 007B0B7C, 007B0B97
GETTEXT, xrefs: 007B0C97
EXPAND, xrefs: 007B0BF8
UNCHECK, xrefs: 007B0D3E
CHECK, xrefs: 007B0A85, 007B0AA0
GETTOTALCOUNT, xrefs: 007B09F2, 007B0A17
SELECT, xrefs: 007B0D11
GETITEMCOUNT, xrefs: 007B0C1E
GETSELECTED, xrefs: 007B0C4E
COLLAPSE, xrefs: 007B0B01, 007B0B1C

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 0e2816a18dfb672e2dd0fec391b63465cc7f377333b9d69d7c50ceca17ac0512
Instruction ID: 98fa1e4a1b39e94f753225d6c06c2e947abf1665c0f738d678868feb341672b1
Opcode Fuzzy Hash: 0e2816a18dfb672e2dd0fec391b63465cc7f377333b9d69d7c50ceca17ac0512
Instruction Fuzzy Hash: 77E19971208301CFC714DF25C454AABB7E1BF98314B14895DF896AB3A2DB38ED46CB81

Function 007AC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AB6AE,?,?), ref: 007AC9B5
_wcslen.LIBCMT ref: 007AC9F1
_wcslen.LIBCMT ref: 007ACA68
_wcslen.LIBCMT ref: 007ACA9E
_wcslen.LIBCMT ref: 007ACAF9
_wcslen.LIBCMT ref: 007ACB2F
_wcslen.LIBCMT ref: 007ACB7F

Strings

HKEY_USERS, xrefs: 007ACBDF
HKU, xrefs: 007ACBF0
HKCR, xrefs: 007ACB29, 007ACB2E
HKEY_CURRENT_CONFIG, xrefs: 007ACB79, 007ACB7E
HKCU, xrefs: 007ACBCE
HKEY_CURRENT_USER, xrefs: 007ACBBD
HKLM, xrefs: 007ACA98, 007ACA9D
HKEY_LOCAL_MACHINE, xrefs: 007ACA62, 007ACA67
HKEY_CLASSES_ROOT, xrefs: 007ACAF3, 007ACAF8
HKCC, xrefs: 007ACBAC

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f9ed10dac8014516f4365e00ceded8c5dbe54345f34f570ff898185bb5648f86
Instruction ID: 52e3bce9478c956128ca105ba6406a99837d4408c6009f0de1ea3935acd2bfa9
Opcode Fuzzy Hash: f9ed10dac8014516f4365e00ceded8c5dbe54345f34f570ff898185bb5648f86
Instruction Fuzzy Hash: DC71057360016AABCB22DF7CCD416BA3391AFE6764F154324F8569B284EA3DDD45C3A0

Function 007B833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007B835A
_wcslen.LIBCMT ref: 007B836E
_wcslen.LIBCMT ref: 007B8391
_wcslen.LIBCMT ref: 007B83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007B83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,007B361A,?), ref: 007B844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007B8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007B84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007B8501
FreeLibrary.KERNEL32(?), ref: 007B850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007B851D
DestroyIcon.USER32(?), ref: 007B852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007B8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007B8555

Strings

.dll, xrefs: 007B83AB
.exe, xrefs: 007B8388
.icl, xrefs: 007B8368

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 9b874f671d51ba92d4aa09ca0b090cb40fba3d343ddb2e117acabbcdf02147cc
Instruction ID: 9d8c03e45bd2f39646867966b3a096d1a91815b69bf2fb67ed97ac23a20b6197
Opcode Fuzzy Hash: 9b874f671d51ba92d4aa09ca0b090cb40fba3d343ddb2e117acabbcdf02147cc
Instruction Fuzzy Hash: E1619E71500215FAEB259F64DC85BFE77ACBF08711F108609F815E61D1DF78A990D7A0

Function 00727778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 007277FF
#pragma compile, xrefs: 007277D3
Unterminated group of comments, xrefs: 0076528C
#include-once, xrefs: 0072782F
", xrefs: 00765153
#OnAutoItStartRegister, xrefs: 00727817
#cs, xrefs: 00727873, 007278C5
#include, xrefs: 00727847
#comments-start, xrefs: 0072785F, 007278B1
Cannot parse #include, xrefs: 00765279
#notrayicon, xrefs: 007277E7
Bad directive syntax error, xrefs: 0076519A
', xrefs: 00765169
#ce, xrefs: 007278ED
#comments-end, xrefs: 007278D9

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: a8da92c63ec54c46476bfdb88e43ae43e16df9bfe958b2da7aa9558249c6b315
Instruction ID: 0b47aba2eb98cc8f7855811a1bc92af389c7f477fa9af8e7fd118787df3e5e40
Opcode Fuzzy Hash: a8da92c63ec54c46476bfdb88e43ae43e16df9bfe958b2da7aa9558249c6b315
Instruction Fuzzy Hash: BC812AB1640229FBDB29AF60DD46FAE37A8AF15300F044024FD05AB292EB7CD951D7A1

Function 00793E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00793EF8
_wcslen.LIBCMT ref: 00793F03
_wcslen.LIBCMT ref: 00793F5A
_wcslen.LIBCMT ref: 00793F98
GetDriveTypeW.KERNEL32(?), ref: 00793FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0079401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00794059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00794087

Strings

type cdaudio alias cd wait, xrefs: 00794001
open , xrefs: 00793FE5
close, xrefs: 00793EFE, 00793F18
set cd door , xrefs: 00794028
open, xrefs: 00793F54, 00793F59
wait, xrefs: 00794044
closed, xrefs: 00793F08, 00793F2D, 00793F46, 00793F7E, 00793F97
close cd wait, xrefs: 00794072

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: db45e958b2e202acfec54d08b247bc98b200d25967f07e9d3dfd88784061e640
Instruction ID: a3d4cbfa71f06b3fcffab40586097454ef45051c22a2048987c6e33b7791be76
Opcode Fuzzy Hash: db45e958b2e202acfec54d08b247bc98b200d25967f07e9d3dfd88784061e640
Instruction Fuzzy Hash: 4071F2726042119FCB10EF24D88096AB7F5EFA8754F10492DF89597261EB38EE46CB91

Function 00785A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00785A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00785A40
SetWindowTextW.USER32(?,?), ref: 00785A57
GetDlgItem.USER32(?,000003EA), ref: 00785A6C
SetWindowTextW.USER32(00000000,?), ref: 00785A72
GetDlgItem.USER32(?,000003E9), ref: 00785A82
SetWindowTextW.USER32(00000000,?), ref: 00785A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00785AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00785AC3
GetWindowRect.USER32(?,?), ref: 00785ACC
_wcslen.LIBCMT ref: 00785B33
SetWindowTextW.USER32(?,?), ref: 00785B6F
GetDesktopWindow.USER32 ref: 00785B75
GetWindowRect.USER32(00000000), ref: 00785B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00785BD3
GetClientRect.USER32(?,?), ref: 00785BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00785C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00785C2F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 9101f35c828813c73e202422b4149719aa96ad73445ce6a3b26555fbc7f6f2a7
Instruction ID: 19d166b642aaaeba49c86b729a109d813c974faa9738711f74913c8e2040202f
Opcode Fuzzy Hash: 9101f35c828813c73e202422b4149719aa96ad73445ce6a3b26555fbc7f6f2a7
Instruction Fuzzy Hash: 26717E71900B05AFDB21EFA8CD85F6EBBF5FF48704F108618E142A25A0D779A900CB14

Function 0079FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0079FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0079FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0079FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0079FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0079FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0079FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0079FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0079FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0079FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0079FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0079FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0079FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0079FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0079FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0079FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0079FECC
GetCursorInfo.USER32(?), ref: 0079FEDC
GetLastError.KERNEL32 ref: 0079FF1E

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 1ed2e3b49a04f234f8e17591327bd6775b2e23ebbbddb88f47e1b6c9161cad57
Instruction ID: 1b7ffc14ffc242bb513aeb5df8aee74070bb75e0d533d6aa1511dc2b64842c77
Opcode Fuzzy Hash: 1ed2e3b49a04f234f8e17591327bd6775b2e23ebbbddb88f47e1b6c9161cad57
Instruction Fuzzy Hash: C74154B0D04319AADB10DFBA9C89C5EBFE9FF04354B54852AF11DE7281DB789901CE91

Function 007830F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0078318D
_wcslen.LIBCMT ref: 007831F8

Strings

CLASSNN, xrefs: 007831F3, 00783204
TEXT, xrefs: 0078347C
REGEXPCLASS, xrefs: 00783255, 00783266
INSTANCE, xrefs: 00783453
CLASS, xrefs: 00783188, 007831A5
NAME, xrefs: 00783335, 00783346
[~, xrefs: 0078339A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[~
API String ID: 176396367-1468205893
Opcode ID: 1fb6792ac8f3fe8505e48393dcd91d8f3b531641b3056a801bcc3d8314a4b7f1
Instruction ID: aac31d703fce7ba62c01b73a45df5658a85bc1ff8bf4fb9e88b48f3d9cd16429
Opcode Fuzzy Hash: 1fb6792ac8f3fe8505e48393dcd91d8f3b531641b3056a801bcc3d8314a4b7f1
Instruction Fuzzy Hash: 06E1B432A4051AEBCB14AF7CC455BFEBBB0BF54B10F548129E456F7240DB38AE859790

Function 007400C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007400C6

Part of subcall function 007400ED: InitializeCriticalSectionAndSpinCount.KERNEL32(007F070C,00000FA0,CCCA4A7B,?,?,?,?,007623B3,000000FF), ref: 0074011C
Part of subcall function 007400ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007623B3,000000FF), ref: 00740127
Part of subcall function 007400ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007623B3,000000FF), ref: 00740138
Part of subcall function 007400ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0074014E
Part of subcall function 007400ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0074015C
Part of subcall function 007400ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0074016A
Part of subcall function 007400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00740195
Part of subcall function 007400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007401A0

___scrt_fastfail.LIBCMT ref: 007400E7

Part of subcall function 007400A3: __onexit.LIBCMT ref: 007400A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00740122
WakeAllConditionVariable, xrefs: 00740162
kernel32.dll, xrefs: 00740133
InitializeConditionVariable, xrefs: 00740148
SleepConditionVariableCS, xrefs: 00740154

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 624d1af65b8c1955ca8845e08dde6da9a400af0ce51f11593785b8f2bcc9c931
Instruction ID: 96ba22cd96f01d6de4e853e9d8a1d4cf2a9ad0b871ecd37ba59633672a89e789
Opcode Fuzzy Hash: 624d1af65b8c1955ca8845e08dde6da9a400af0ce51f11593785b8f2bcc9c931
Instruction Fuzzy Hash: EC21C9B2A44718ABEB116B74AC49F6D7398DB45F51F048265FA01A7392DB7C98008AE4

Function 007944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,007BCC08), ref: 00794527
_wcslen.LIBCMT ref: 0079453B
_wcslen.LIBCMT ref: 00794599
_wcslen.LIBCMT ref: 007945F4
_wcslen.LIBCMT ref: 0079463F
_wcslen.LIBCMT ref: 007946A7

Part of subcall function 0073F9F2: _wcslen.LIBCMT ref: 0073F9FD

GetDriveTypeW.KERNEL32(?,007E6BF0,00000061), ref: 00794743

Strings

ramdisk, xrefs: 007946F1
network, xrefs: 0079469D, 007946A2
cdrom, xrefs: 0079458F, 00794594
removable, xrefs: 007945EA, 007945EF
unknown, xrefs: 00794708
all, xrefs: 00794531, 00794536
fixed, xrefs: 00794635, 0079463A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 36c5255c05ca707699705c5822563e4cb1814b2e420e9ad51b8e04529ed91dc5
Instruction ID: 17b55ecdfc1f8cb4edb86098bc765ab101b9246d0857bf5555e93e63353cf645
Opcode Fuzzy Hash: 36c5255c05ca707699705c5822563e4cb1814b2e420e9ad51b8e04529ed91dc5
Instruction Fuzzy Hash: 1FB125716083029FCB10DF28E894E6EB7E5BFA9760F50491DF496C7291D738D846CB62

Function 007A3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007BCC08), ref: 007A40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007A40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,007BCC08), ref: 007A40F2
FreeLibrary.KERNEL32(00000000,?,007BCC08), ref: 007A413E
StringFromGUID2.OLE32(?,?,00000028,?,007BCC08), ref: 007A41A8
SysFreeString.OLEAUT32(00000009), ref: 007A4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007A42C8
SysFreeString.OLEAUT32(?), ref: 007A42F2

Strings

kernel32.dll, xrefs: 007A40B6
GetModuleHandleExW, xrefs: 007A40C7

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 7deeb81c3a15910fbc8071a15b1c9de89b17e452c0aff9b7fbc471afd1309c5b
Instruction ID: 19266f796c0f3551fb01676a6dc0800f4f5390546d611559cf4eb8a82fde834d
Opcode Fuzzy Hash: 7deeb81c3a15910fbc8071a15b1c9de89b17e452c0aff9b7fbc471afd1309c5b
Instruction Fuzzy Hash: 85123C75A00119EFDB14CF54C884EAEB7B5FFC9314F248198E905AB251D776ED42CBA0

Function 0072326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(007F1990), ref: 00762F8D
GetMenuItemCount.USER32(007F1990), ref: 0076303D
GetCursorPos.USER32(?), ref: 00763081
SetForegroundWindow.USER32(00000000), ref: 0076308A
TrackPopupMenuEx.USER32(007F1990,00000000,?,00000000,00000000,00000000), ref: 0076309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007630A9

Strings

0, xrefs: 0072327D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: e6331eb3b46b0c6ffa0c6fede18bc5160839b3664da9a48e752f772e2b081ea2
Instruction ID: 0b1978ca282b006a0270469675c50c408c27716fcd676af8b593413780bb5b38
Opcode Fuzzy Hash: e6331eb3b46b0c6ffa0c6fede18bc5160839b3664da9a48e752f772e2b081ea2
Instruction Fuzzy Hash: A0711970644615FEEB219F24DC49FEABFA9FF04324F204216F925A61E1C7BDA914CB90

Function 007B6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 007B6DEB

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007B6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007B6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007B6E94
DestroyWindow.USER32(?), ref: 007B6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00720000,00000000), ref: 007B6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007B6EFD
GetDesktopWindow.USER32 ref: 007B6F16
GetWindowRect.USER32(00000000), ref: 007B6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007B6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007B6F4D

Part of subcall function 00739944: GetWindowLongW.USER32(?,000000EB), ref: 00739952

Strings

tooltips_class32, xrefs: 007B6E58, 007B6EDD
0, xrefs: 007B6D98

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 426347dfd63f4811d89c6baa0aec2922e1b7a5ce5ee1143c477e5b9692849bb5
Instruction ID: 68dc88e13b88b40e393d37e9fe0e32d3d6f76dd3eec519ebf0ccbb7f6a242e7a
Opcode Fuzzy Hash: 426347dfd63f4811d89c6baa0aec2922e1b7a5ce5ee1143c477e5b9692849bb5
Instruction Fuzzy Hash: 32717871504284AFDB21CF28DC48FBABBE9FB89304F44855EFA8987261C778E905CB15

Function 007B911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

DragQueryPoint.SHELL32(?,?), ref: 007B9147

Part of subcall function 007B7674: ClientToScreen.USER32(?,?), ref: 007B769A
Part of subcall function 007B7674: GetWindowRect.USER32(?,?), ref: 007B7710
Part of subcall function 007B7674: PtInRect.USER32(?,?,007B8B89), ref: 007B7720

SendMessageW.USER32(?,000000B0,?,?), ref: 007B91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007B91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007B91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007B9225
SendMessageW.USER32(?,000000B0,?,?), ref: 007B923E
SendMessageW.USER32(?,000000B1,?,?), ref: 007B9255
SendMessageW.USER32(?,000000B1,?,?), ref: 007B9277
DragFinish.SHELL32(?), ref: 007B927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007B9371

Strings

@GUI_DRAGFILE, xrefs: 007B9320
@GUI_DRAGID, xrefs: 007B92E9
@GUI_DROPID, xrefs: 007B929E

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 4b4c6a2c4270295b98aab1177cb1e66288a21f6a3c71741ec6011b94cc1413f8
Instruction ID: 3f7c4962b8806dd0a75ea0e9ccb273ef62ca95ca08d399195b76ce95f245d1a4
Opcode Fuzzy Hash: 4b4c6a2c4270295b98aab1177cb1e66288a21f6a3c71741ec6011b94cc1413f8
Instruction Fuzzy Hash: 3D618D71108301AFC701DF64DC89EAFBBE8EF89350F044A2DF691931A1DB789A45CB62

Function 0079C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0079C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0079C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0079C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0079C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0079C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0079C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0079C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0079C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0079C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0079C5F0
InternetCloseHandle.WININET(00000000), ref: 0079C5FB

Strings

, xrefs: 0079C575

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 45b090f6fbd4d79948dd18ef365d114959c84cfeb46194065fe375a850e03de0
Instruction ID: d13e546a70bbf6d22f633913ebcb6e383af162a42ddc0edadf3bbaccec2a0f9c
Opcode Fuzzy Hash: 45b090f6fbd4d79948dd18ef365d114959c84cfeb46194065fe375a850e03de0
Instruction Fuzzy Hash: 0C514AB1600208BFEF228F65D988FAB7BFCFF08754F108519F94696250DB38E9549B60

Function 007B856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 007B8592
GetFileSize.KERNEL32(00000000,00000000), ref: 007B85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 007B85AD
CloseHandle.KERNEL32(00000000), ref: 007B85BA
GlobalLock.KERNEL32(00000000), ref: 007B85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007B85D7
GlobalUnlock.KERNEL32(00000000), ref: 007B85E0
CloseHandle.KERNEL32(00000000), ref: 007B85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 007B85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,007BFC38,?), ref: 007B8611
GlobalFree.KERNEL32(00000000), ref: 007B8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 007B8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 007B8671
DeleteObject.GDI32(00000000), ref: 007B8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007B86AF

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: b93e83c3a2ed70aa3bccf97c2747e3248b15ac69d2bc4ce760af100aebd1ec68
Instruction ID: c3ce62273fceedfe38b189c2b7e89219ca3d74aca092c3d14ef32463276ef44e
Opcode Fuzzy Hash: b93e83c3a2ed70aa3bccf97c2747e3248b15ac69d2bc4ce760af100aebd1ec68
Instruction Fuzzy Hash: 3B411975600209AFDB129FA5CC48FAA7BBCFF89B15F108159F905E7260DB389D01CB65

Function 007914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00791502
VariantCopy.OLEAUT32(?,?), ref: 0079150B
VariantClear.OLEAUT32(?), ref: 00791517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007915FB
VarR8FromDec.OLEAUT32(?,?), ref: 00791657
VariantInit.OLEAUT32(?), ref: 00791708
SysFreeString.OLEAUT32(?), ref: 0079178C
VariantClear.OLEAUT32(?), ref: 007917D8
VariantClear.OLEAUT32(?), ref: 007917E7
VariantInit.OLEAUT32(00000000), ref: 00791823

Strings

Default, xrefs: 007916AF
%4d%02d%02d%02d%02d%02d, xrefs: 00791625

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 2c1ce7c237bdb826c472aaa99a037bf58d1e1a172dc95678aae0516bcda10c73
Instruction ID: 6a02f2f5e7305a7668cac71facd4f1ae07a2c4ba86bfe8ee4788dd169485f9e0
Opcode Fuzzy Hash: 2c1ce7c237bdb826c472aaa99a037bf58d1e1a172dc95678aae0516bcda10c73
Instruction Fuzzy Hash: 11D11172A00116EBEF009F65E889B7DB7B1BF44700F968056F446AB281DB3CED61DB61

Function 007AB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 007AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AB6AE,?,?), ref: 007AC9B5
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007AC9F1
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA68
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007AB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007AB772
RegDeleteValueW.ADVAPI32(?,?), ref: 007AB80A
RegCloseKey.ADVAPI32(?), ref: 007AB87E
RegCloseKey.ADVAPI32(?), ref: 007AB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 007AB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007AB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 007AB922
FreeLibrary.KERNEL32(00000000), ref: 007AB983
RegCloseKey.ADVAPI32(00000000), ref: 007AB994

Strings

RegDeleteKeyExW, xrefs: 007AB8FE
advapi32.dll, xrefs: 007AB8ED

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 262a18cb1664456f7927fd5bcacf239612fbb71364775bc5eae52cbc3c0309f3
Instruction ID: 784b72c70469ae42e9145e9e0487e95f539595172501b5078277299edf48fa65
Opcode Fuzzy Hash: 262a18cb1664456f7927fd5bcacf239612fbb71364775bc5eae52cbc3c0309f3
Instruction Fuzzy Hash: 63C16B31208241EFD715DF14C498F2ABBE5BF85308F18869CF59A4B2A3CB79E845CB91

Function 007A255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007A25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007A25E8
CreateCompatibleDC.GDI32(?), ref: 007A25F4
SelectObject.GDI32(00000000,?), ref: 007A2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 007A266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007A26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007A26D0
SelectObject.GDI32(?,?), ref: 007A26D8
DeleteObject.GDI32(?), ref: 007A26E1
DeleteDC.GDI32(?), ref: 007A26E8
ReleaseDC.USER32(00000000,?), ref: 007A26F3

Strings

(, xrefs: 007A268D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: d57f46ffde5674f9ae749db263ea32ece3e050a426b2618806baef771f1cb504
Instruction ID: bccc53d52304e004a19c2510d6a61c4c40d3d18b2e9937f99da774290556a3f0
Opcode Fuzzy Hash: d57f46ffde5674f9ae749db263ea32ece3e050a426b2618806baef771f1cb504
Instruction Fuzzy Hash: 876102B5D00219EFCF05CFA8D884EAEBBB5FF48310F208629E955A7251D774A941CF64

Function 0075DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0075DAA1

Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D659
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D66B
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D67D
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D68F
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D6A1
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D6B3
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D6C5
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D6D7
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D6E9
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D6FB
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D70D
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D71F
Part of subcall function 0075D63C: _free.LIBCMT ref: 0075D731

_free.LIBCMT ref: 0075DA96

Part of subcall function 007529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000), ref: 007529DE
Part of subcall function 007529C8: GetLastError.KERNEL32(00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000,00000000), ref: 007529F0

_free.LIBCMT ref: 0075DAB8
_free.LIBCMT ref: 0075DACD
_free.LIBCMT ref: 0075DAD8
_free.LIBCMT ref: 0075DAFA
_free.LIBCMT ref: 0075DB0D
_free.LIBCMT ref: 0075DB1B
_free.LIBCMT ref: 0075DB26
_free.LIBCMT ref: 0075DB5E
_free.LIBCMT ref: 0075DB65
_free.LIBCMT ref: 0075DB82
_free.LIBCMT ref: 0075DB9A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d67d0d60ea89408022e2be68ddb14557a5d24b1b20e5dbb00568cd3fc0dd7a7e
Instruction ID: 73c1547ee706c310883f3f631d832046f4075b9546ecd42ba7ee2f79591ad5e0
Opcode Fuzzy Hash: d67d0d60ea89408022e2be68ddb14557a5d24b1b20e5dbb00568cd3fc0dd7a7e
Instruction Fuzzy Hash: 3E315D71604204DFEB31AA39D849BD677E9FF01312F114419E848E72A2DFB9BC49CB20

Function 0078365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0078369C
_wcslen.LIBCMT ref: 007836A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00783797
GetClassNameW.USER32(?,?,00000400), ref: 0078380C
GetDlgCtrlID.USER32(?), ref: 0078385D
GetWindowRect.USER32(?,?), ref: 00783882
GetParent.USER32(?), ref: 007838A0
ScreenToClient.USER32(00000000), ref: 007838A7
GetClassNameW.USER32(?,?,00000100), ref: 00783921
GetWindowTextW.USER32(?,?,00000400), ref: 0078395D

Strings

%s%u, xrefs: 00783734

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 84a7c91310d954022160e495fd3ad7673fab72799383b77ece4ae2ecfa98f367
Instruction ID: 02c3be9732b3903fa16a0e11ae651467531de7f58b68404413d136c4e32ea355
Opcode Fuzzy Hash: 84a7c91310d954022160e495fd3ad7673fab72799383b77ece4ae2ecfa98f367
Instruction Fuzzy Hash: 0E91D771244706EFD715EF28C889FAAF7A8FF44754F008619F999C2190DB38EA45CBA1

Function 00784954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00784994
GetWindowTextW.USER32(?,?,00000400), ref: 007849DA
_wcslen.LIBCMT ref: 007849EB
CharUpperBuffW.USER32(?,00000000), ref: 007849F7
_wcsstr.LIBVCRUNTIME ref: 00784A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00784A64
GetWindowTextW.USER32(?,?,00000400), ref: 00784A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00784AE6
GetClassNameW.USER32(?,?,00000400), ref: 00784B20
GetWindowRect.USER32(?,?), ref: 00784B8B

Strings

ThumbnailClass, xrefs: 00784A6F, 00784AF1

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 9aad1e5cc99a51f83b93fe988e13b8b7399b3877cf975f0eb8938756d34633ac
Instruction ID: 32aaddaa3fb3cba811fab8e3eb4214543a6a686838de53581dbfa091f9035002
Opcode Fuzzy Hash: 9aad1e5cc99a51f83b93fe988e13b8b7399b3877cf975f0eb8938756d34633ac
Instruction Fuzzy Hash: 1D91E271044206DFDB05EF14C989FAA7BE8FF44314F04846AFD859A096DBB8ED45CBA1

Function 0078BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(007F1990,000000FF,00000000,00000030), ref: 0078BFAC
SetMenuItemInfoW.USER32(007F1990,00000004,00000000,00000030), ref: 0078BFE1
Sleep.KERNEL32(000001F4), ref: 0078BFF3
GetMenuItemCount.USER32(?), ref: 0078C039
GetMenuItemID.USER32(?,00000000), ref: 0078C056
GetMenuItemID.USER32(?,-00000001), ref: 0078C082
GetMenuItemID.USER32(?,?), ref: 0078C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0078C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0078C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0078C145

Strings

0, xrefs: 0078BF3D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 746414132627ac30c38f13c047600ecf78ea45239feffd93724b4c547beadb5c
Instruction ID: 14fa6cccb5cbc720e2a82b87e7e4bb8ce44640ea2e381b2d008313dea5c58181
Opcode Fuzzy Hash: 746414132627ac30c38f13c047600ecf78ea45239feffd93724b4c547beadb5c
Instruction Fuzzy Hash: DA6181B094024AEFDF12EF68DC88EAE7BB8EF05344F104155E951A3291D739AD15CB70

Function 007ACC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007ACC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 007ACC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007ACD48

Part of subcall function 007ACC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 007ACCAA
Part of subcall function 007ACC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 007ACCBD
Part of subcall function 007ACC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007ACCCF
Part of subcall function 007ACC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 007ACD05
Part of subcall function 007ACC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 007ACD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 007ACCF3

Strings

RegDeleteKeyExW, xrefs: 007ACCC9
advapi32.dll, xrefs: 007ACCB8

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: fa38340de883a4dbd4891d3239ea7b635051fa736f753bd6187a866d8f343519
Instruction ID: 29b07094388228592ef23cca2253cd7e1fe88c9dbdfb2cdb11ebf4b5b7737539
Opcode Fuzzy Hash: fa38340de883a4dbd4891d3239ea7b635051fa736f753bd6187a866d8f343519
Instruction Fuzzy Hash: D931A1B1A0112CBBD7229B55DC88EFFBB7CEF46750F008265F905E2200DB788A45DAB4

Function 00793D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00793D40
_wcslen.LIBCMT ref: 00793D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00793D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00793DBE
RemoveDirectoryW.KERNEL32(?), ref: 00793DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00793E55
CloseHandle.KERNEL32(00000000), ref: 00793E60
CloseHandle.KERNEL32(00000000), ref: 00793E6B

Strings

\, xrefs: 00793D77
\??\%s, xrefs: 00793D5B
:, xrefs: 00793D82

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 4a38d4a85e353fe953346540f954ee46bea81f6a5a57ca48dc4e76af1ec15c9f
Instruction ID: 274c1cb042a4bfefe7df22d65eb9f8ea5f86a8963f9f7a7f62b035fa47d998db
Opcode Fuzzy Hash: 4a38d4a85e353fe953346540f954ee46bea81f6a5a57ca48dc4e76af1ec15c9f
Instruction Fuzzy Hash: E231A1B5A04209ABDB219FA0DC49FEB37BCEF88700F5081B5F519D6160EB7897448B24

Function 0078E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0078E6B4

Part of subcall function 0073E551: timeGetTime.WINMM(?,?,0078E6D4), ref: 0073E555

Sleep.KERNEL32(0000000A), ref: 0078E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0078E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0078E727
SetActiveWindow.USER32 ref: 0078E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0078E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0078E773
Sleep.KERNEL32(000000FA), ref: 0078E77E
IsWindow.USER32 ref: 0078E78A
EndDialog.USER32(00000000), ref: 0078E79B

Strings

BUTTON, xrefs: 0078E719

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: db2c0ec71005de3fd06be516f3fc8d4592ab7069736579116962f54a6f4f6ff4
Instruction ID: 75ec5a467338ba0f48a0502832a2b73fca094506c7b5334e95f7d4e55d91579a
Opcode Fuzzy Hash: db2c0ec71005de3fd06be516f3fc8d4592ab7069736579116962f54a6f4f6ff4
Instruction Fuzzy Hash: 0F215EB0340204AFEB116F25EC89F363B69AB54B58F10C525F501C15A2DB7DAC11DB28

Function 0078E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0078EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0078EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0078EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0078EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0078EAA7

Strings

open , xrefs: 0078EA0C
play PlayMe, xrefs: 0078EAA2
play PlayMe wait, xrefs: 0078EA91
status PlayMe mode, xrefs: 0078EA58
alias PlayMe, xrefs: 0078EA36
close PlayMe, xrefs: 0078EA6E, 0078EA9B

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 63acf51b6848b41c7c1aaba72e2e0782c8cb7c3ae357232a10b1c2272e699a2c
Instruction ID: 00e07ecf6be67790347b81034879415c2c924de0a5e8463be9c4a2923b6ab739
Opcode Fuzzy Hash: 63acf51b6848b41c7c1aaba72e2e0782c8cb7c3ae357232a10b1c2272e699a2c
Instruction Fuzzy Hash: 9D11A771691269B9D724F762DC4ADFF6A7CEBE5F40F004429B401A20D1DF781944C6B1

Function 00789F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0078A012
SetKeyboardState.USER32(?), ref: 0078A07D
GetAsyncKeyState.USER32(000000A0), ref: 0078A09D
GetKeyState.USER32(000000A0), ref: 0078A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0078A0E3
GetKeyState.USER32(000000A1), ref: 0078A0F4
GetAsyncKeyState.USER32(00000011), ref: 0078A120
GetKeyState.USER32(00000011), ref: 0078A12E
GetAsyncKeyState.USER32(00000012), ref: 0078A157
GetKeyState.USER32(00000012), ref: 0078A165
GetAsyncKeyState.USER32(0000005B), ref: 0078A18E
GetKeyState.USER32(0000005B), ref: 0078A19C

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 491c86833b4680b6328f6f0bdf9a19978f402a7d50136030f082e73a2b2598a3
Instruction ID: d193a9be3efcb58186edbeeffacd5fca9feeb02f6788a7459117695b49d3d88c
Opcode Fuzzy Hash: 491c86833b4680b6328f6f0bdf9a19978f402a7d50136030f082e73a2b2598a3
Instruction Fuzzy Hash: 6A51AC2098478879FB35FB704819BEABFB55F11340F0C859AD6C2571C2EA5C9E4CC762

Function 00785CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00785CE2
GetWindowRect.USER32(00000000,?), ref: 00785CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00785D59
GetDlgItem.USER32(?,00000002), ref: 00785D69
GetWindowRect.USER32(00000000,?), ref: 00785D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00785DCF
GetDlgItem.USER32(?,000003E9), ref: 00785DDD
GetWindowRect.USER32(00000000,?), ref: 00785DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00785E31
GetDlgItem.USER32(?,000003EA), ref: 00785E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00785E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00785E67

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 052a7faccbeae75bc6d06364fe9c4b32caec0cb2aaf41c5952c4aa4533a55e16
Instruction ID: 112325be65d54980d4909239fedef50b1c31ee3c14fe97ffb0db566097676a5a
Opcode Fuzzy Hash: 052a7faccbeae75bc6d06364fe9c4b32caec0cb2aaf41c5952c4aa4533a55e16
Instruction Fuzzy Hash: 2C510D71B40609AFDF19DF68DD89EAEBBB5FB48300F148229F915E6290D7749E04CB60

Function 00738BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00738F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00738BE8,?,00000000,?,?,?,?,00738BBA,00000000,?), ref: 00738FC5

DestroyWindow.USER32(?), ref: 00738C81
KillTimer.USER32(00000000,?,?,?,?,00738BBA,00000000,?), ref: 00738D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00776973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00738BBA,00000000,?), ref: 007769A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00738BBA,00000000,?), ref: 007769B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00738BBA,00000000), ref: 007769D4
DeleteObject.GDI32(00000000), ref: 007769E6

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1e92bc228a375edb3e720a0fa9dab184b464823c59287db3593ce23ee8d9f9e6
Instruction ID: 4d7955839fc807bd068384877ec3dab5cf593645f7d54ae81a59b6498daf630e
Opcode Fuzzy Hash: 1e92bc228a375edb3e720a0fa9dab184b464823c59287db3593ce23ee8d9f9e6
Instruction Fuzzy Hash: F7618830102B00DFEB669F24CA48B35B7B1FB40362F55D658E0469A565CB7DB980CFAA

Function 00739838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00739944: GetWindowLongW.USER32(?,000000EB), ref: 00739952

GetSysColor.USER32(0000000F), ref: 00739862

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 1beff462834abe51a474b6446de02671321d4870e64d3afcf997738a10bc25b5
Instruction ID: b19f15f895fa34892c60256672892b05e70fb92dffcf42cb7abf4dad6b2785c5
Opcode Fuzzy Hash: 1beff462834abe51a474b6446de02671321d4870e64d3afcf997738a10bc25b5
Instruction Fuzzy Hash: 8041C331104644AFEF215F3C9C88BFA3B65AB86370F148605FAE29B1E2D7B99C41DB10

Function 00758D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.t, xrefs: 0075903A, 00758FD0, 00758FF2

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: .t
API String ID: 0-4274973675
Opcode ID: 6e36193523b843eea32abb5b42bd7d505b029ea4a4678f3ff928d6fdb7f11937
Instruction ID: 70c0fccb7ef3b6b3453d4934ebf2b2f1881200f4a543be01cc104e760a4567bf
Opcode Fuzzy Hash: 6e36193523b843eea32abb5b42bd7d505b029ea4a4678f3ff928d6fdb7f11937
Instruction Fuzzy Hash: C6C1E27490424AEFCF51DFA8C845BEDBBB0BF09311F044159E919A73D2CBB89945CB62

Function 007896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0076F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00789717
LoadStringW.USER32(00000000,?,0076F7F8,00000001), ref: 00789720

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0076F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00789742
LoadStringW.USER32(00000000,?,0076F7F8,00000001), ref: 00789745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00789866

Strings

^ ERROR, xrefs: 007897FB
Line %d (File "%s"):, xrefs: 0078978F
Line %d:, xrefs: 007897A0
Error: , xrefs: 0078981D
%s (%d) : ==> %s: %s %s, xrefs: 0078984A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: f7cf91151f87266488170c50f973c6d9c940a2dc7517990c7b40e9e6285800ad
Instruction ID: 3723a85f63e78985a7183217e2991c7ce5769a6318017e6a2ba728f6119db9c3
Opcode Fuzzy Hash: f7cf91151f87266488170c50f973c6d9c940a2dc7517990c7b40e9e6285800ad
Instruction Fuzzy Hash: 6B412DB2800219EADB05FBE0ED5AEEEB778AF55340F544425F60572092EA3D6F48CB61

Function 007806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007807A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007807BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007807DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00780804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0078082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00780837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0078083C

Strings

SOFTWARE\Classes\, xrefs: 0078070E
\CLSID, xrefs: 00780724
\IPC$, xrefs: 00780784

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 2f7a2decd1d216c356ab2b92781a5142bfe57166b90687d808dc84b9cdf1706e
Instruction ID: e9d359adcfef0a4db706c1ea288262af288ff4a20b40dd7d02e638baf87ead7f
Opcode Fuzzy Hash: 2f7a2decd1d216c356ab2b92781a5142bfe57166b90687d808dc84b9cdf1706e
Instruction Fuzzy Hash: 96410972C10229EBDF15EBA4DC99DEDB778BF04750F144129E905A7161EB386E48CBA0

Function 007B3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007B403B
CreateCompatibleDC.GDI32(00000000), ref: 007B4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007B4055
SelectObject.GDI32(00000000,00000000), ref: 007B405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 007B4068
DeleteDC.GDI32(00000000), ref: 007B4072
GetWindowLongW.USER32(?,000000EC), ref: 007B407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 007B4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 007B409E

Strings

static, xrefs: 007B3FD3

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: c57ca568fec418424323fe486776ddd00c03ffa1d59ca407c9234a64d13744f0
Instruction ID: 4b4f47dba845a6a97a4d6da27015711340610cd17a0d871bda9d45b87400efc8
Opcode Fuzzy Hash: c57ca568fec418424323fe486776ddd00c03ffa1d59ca407c9234a64d13744f0
Instruction Fuzzy Hash: F1316072501219AFDF229F68DC09FDA3B68EF0D324F118311FA54E61A1D779D850DB64

Function 007A3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007A3C5C
CoInitialize.OLE32(00000000), ref: 007A3C8A
CoUninitialize.OLE32 ref: 007A3C94
_wcslen.LIBCMT ref: 007A3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 007A3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 007A3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 007A3F0E
CoGetObject.OLE32(?,00000000,007BFB98,?), ref: 007A3F2D
SetErrorMode.KERNEL32(00000000), ref: 007A3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007A3FC4
VariantClear.OLEAUT32(?), ref: 007A3FD8

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a798627a1f2e6c995aa9f52edd17e798bde08cca736b0b4cf4b2bcc89e71a660
Instruction ID: 8f6dfff10fb2a789ae9f03df38a2034ec148876a65ffef2419e800d39c08e065
Opcode Fuzzy Hash: a798627a1f2e6c995aa9f52edd17e798bde08cca736b0b4cf4b2bcc89e71a660
Instruction Fuzzy Hash: 9FC11371608205DFD700DF68C88492BBBE9FF8A744F144A1DF98A9B250D739EE45CB52

Function 00797A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00797AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00797B8F
SHGetDesktopFolder.SHELL32(?), ref: 00797BA3
CoCreateInstance.OLE32(007BFD08,00000000,00000001,007E6E6C,?), ref: 00797BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00797C74
CoTaskMemFree.OLE32(?,?), ref: 00797CCC
SHBrowseForFolderW.SHELL32(?), ref: 00797D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00797D7A
CoTaskMemFree.OLE32(00000000), ref: 00797D81
CoTaskMemFree.OLE32(00000000), ref: 00797DD6
CoUninitialize.OLE32 ref: 00797DDC

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 06cccdea86cb28a44ea51285362d3f9b2ed8871f53e40841ef55997410ba42a6
Instruction ID: 59faa344f0fc74c5cd6bd5e980aa199cdcec74fe3f4840ac437ec7113d11cd9e
Opcode Fuzzy Hash: 06cccdea86cb28a44ea51285362d3f9b2ed8871f53e40841ef55997410ba42a6
Instruction Fuzzy Hash: 47C13975A04119EFCB14DFA4D888DAEBBF9FF48304B148599F81A9B261D734EE41CB90

Function 007B541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007B5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007B5515
CharNextW.USER32(00000158), ref: 007B5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007B5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007B559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007B55AC

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 34207b23b0ee59a1a3d255c3defa1e115c01d0e463ee5cf8ff5025dd59b1c3ef
Instruction ID: 2510ed6cde5d861081bedeb4550a4188dc45ddf87378884f88fc5d4e1cf42035
Opcode Fuzzy Hash: 34207b23b0ee59a1a3d255c3defa1e115c01d0e463ee5cf8ff5025dd59b1c3ef
Instruction Fuzzy Hash: 02616C70904608EFDF219F54CC85FFE7BB9EF09725F108145F925AA290D7789A81DB60

Function 0077FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0077FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0077FB08
VariantInit.OLEAUT32(?), ref: 0077FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0077FB3A
VariantCopy.OLEAUT32(?,?), ref: 0077FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0077FBA1
VariantClear.OLEAUT32(?), ref: 0077FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0077FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0077FBCC
VariantClear.OLEAUT32(?), ref: 0077FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0077FBE9

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 585386fe174bd59f027eacef5b9704f98426aba4eb8738a52cb832375dbbb0a1
Instruction ID: 65cd6d9b01c6cfae8bd7817a447f467e8c369c661365505ece5cf0841ec63416
Opcode Fuzzy Hash: 585386fe174bd59f027eacef5b9704f98426aba4eb8738a52cb832375dbbb0a1
Instruction Fuzzy Hash: 45415275A00219DFCF01DF64D958EAEBBB9EF48354F00C065E959A7261CB38AA45CFA0

Function 00789C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00789CA1
GetAsyncKeyState.USER32(000000A0), ref: 00789D22
GetKeyState.USER32(000000A0), ref: 00789D3D
GetAsyncKeyState.USER32(000000A1), ref: 00789D57
GetKeyState.USER32(000000A1), ref: 00789D6C
GetAsyncKeyState.USER32(00000011), ref: 00789D84
GetKeyState.USER32(00000011), ref: 00789D96
GetAsyncKeyState.USER32(00000012), ref: 00789DAE
GetKeyState.USER32(00000012), ref: 00789DC0
GetAsyncKeyState.USER32(0000005B), ref: 00789DD8
GetKeyState.USER32(0000005B), ref: 00789DEA

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7e5dd046407c1e991014fb6dc90fd71ee3114be5fbb3751f85d6243ed147cb9c
Instruction ID: fe6937e03e8bc1e3fcd96deb4c8b7d7351a74dbd94ca6030b12659601f11594d
Opcode Fuzzy Hash: 7e5dd046407c1e991014fb6dc90fd71ee3114be5fbb3751f85d6243ed147cb9c
Instruction Fuzzy Hash: E541B5346847C96DFF71A670C8047B5BEA06F11344F0C805ADBC6566C2EBAD99C8C7B6

Function 007A055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007A05BC
inet_addr.WSOCK32(?), ref: 007A061C
gethostbyname.WSOCK32(?), ref: 007A0628
IcmpCreateFile.IPHLPAPI ref: 007A0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007A06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007A06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007A07B9
WSACleanup.WSOCK32 ref: 007A07BF

Strings

Ping, xrefs: 007A0676

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d4289c96e4578f1b1aa98d87667f0069b239049b3be5c150ed5c0c1eeb11373a
Instruction ID: 6976dd7e33b5170a5552e33b47088d5edcf843206d38f39bf310ad5a0881d9ae
Opcode Fuzzy Hash: d4289c96e4578f1b1aa98d87667f0069b239049b3be5c150ed5c0c1eeb11373a
Instruction Fuzzy Hash: 42918E75604201DFD720CF19D489F1ABBE0AF89318F148AA9F4699B6A2C738ED45CFD1

Function 007A8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 007A8CF3

Part of subcall function 00788E54: _wcslen.LIBCMT ref: 00788E77

_wcslen.LIBCMT ref: 007A8D4E
_wcslen.LIBCMT ref: 007A8D9C
_wcslen.LIBCMT ref: 007A8DDC
_wcslen.LIBCMT ref: 007A8E6E

Strings

none, xrefs: 007A8E65, 007A8E6A
cdecl, xrefs: 007A8D48, 007A8D4D
stdcall, xrefs: 007A8DD6, 007A8DDB
winapi, xrefs: 007A8D96, 007A8D9B

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: dcb601c86f0e342a2216e7f522e585ea4549ec7158f9a59e20c6461a2b5e3546
Instruction ID: d3345507d4924033d871f410b7ddc94e3e4dcd4b7313450028352f3c7f8ba137
Opcode Fuzzy Hash: dcb601c86f0e342a2216e7f522e585ea4549ec7158f9a59e20c6461a2b5e3546
Instruction Fuzzy Hash: 2E51B231A05116DBCF54DF68C9409BEB7A5BFAA724B244329E426E72C4EF38DD40C791

Function 007A372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 007A3774
CoUninitialize.OLE32 ref: 007A377F
CoCreateInstance.OLE32(?,00000000,00000017,007BFB78,?), ref: 007A37D9
IIDFromString.OLE32(?,?), ref: 007A384C
VariantInit.OLEAUT32(?), ref: 007A38E4
VariantClear.OLEAUT32(?), ref: 007A3936

Strings

Failed to create object, xrefs: 007A37E4, 007A389A
Invalid parameter, xrefs: 007A3865
NULL Pointer assignment, xrefs: 007A381E

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 51f834cd3045b21bca2ea7d646f13ba999db82dbd41edd837546e9e5dcd789fe
Instruction ID: 59c30cc3493b1271e4169c30cc54dbc5f75e2a4c3e7be5aa9dec70dec46502dc
Opcode Fuzzy Hash: 51f834cd3045b21bca2ea7d646f13ba999db82dbd41edd837546e9e5dcd789fe
Instruction Fuzzy Hash: 4861B1B0608311EFD311DF54D889F5AB7E8EF8A714F104A09F5859B291C778EE48CBA2

Function 00793388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007933CF

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007933F0

Strings

Incorrect parameters to object property !, xrefs: 007934AB
Line %d (File "%s"):, xrefs: 00793443, 0079345C
^ ERROR , xrefs: 0079349E
Error: , xrefs: 007934D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00793504
"%s" (%d) : ==> %s:, xrefs: 00793522

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 17e9cfefd4c7fcfb4a7598e7ff43190ea2211e7eb3a5daa2f35eff7cbba88997
Instruction ID: 04bc9fc99f7d13148acb943aecf5031aee85a8a60a72dba73220f24d07e8f497
Opcode Fuzzy Hash: 17e9cfefd4c7fcfb4a7598e7ff43190ea2211e7eb3a5daa2f35eff7cbba88997
Instruction Fuzzy Hash: 875170B1900259EADF15EBA0ED4AEFEB778AF18340F244165F50572052EB3D6F58CB60

Function 0078B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0078B5FC
_wcslen.LIBCMT ref: 0078B608
_wcslen.LIBCMT ref: 0078B64D
_wcslen.LIBCMT ref: 0078B68C
_wcslen.LIBCMT ref: 0078B6C7

Strings

KEYS, xrefs: 0078B647, 0078B64C
EXISTS, xrefs: 0078B686, 0078B68B
REMOVE, xrefs: 0078B602, 0078B607
APPEND, xrefs: 0078B6C1, 0078B6C6

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d168e12d11bd18e2847d4f329de552d183a07907866750ab984f1ae2e212c33b
Instruction ID: 8e010c785d2efe8db13127b8301b4cfe1bcad8d5b34425cceeb4e11a84404901
Opcode Fuzzy Hash: d168e12d11bd18e2847d4f329de552d183a07907866750ab984f1ae2e212c33b
Instruction Fuzzy Hash: 5141D632B41127DBCB207F7D88905BE77A5BFA4794B24412AE421D7284F739DD81C790

Function 00795393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007953A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00795416
GetLastError.KERNEL32 ref: 00795420
SetErrorMode.KERNEL32(00000000,READY), ref: 007954A7

Strings

NOTREADY, xrefs: 0079544B
INVALID, xrefs: 00795459
READY, xrefs: 00795460, 00795468
READONLY, xrefs: 00795452
UNKNOWN, xrefs: 00795444

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 829116e7a7f11f942af50603dcd6c82f30ba0b89fc0669a3b8ac110173da561a
Instruction ID: 29c6c3bf00ff4a817d361455dae01da196f98ed18520e2ebd1ca0f2ae1f9204a
Opcode Fuzzy Hash: 829116e7a7f11f942af50603dcd6c82f30ba0b89fc0669a3b8ac110173da561a
Instruction Fuzzy Hash: D431D375A00558DFCB52DF68E888FA9BBB4FF44305F188169E501DB2A2D738DD82CB90

Function 007B3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 007B3C79
SetMenu.USER32(?,00000000), ref: 007B3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B3D10
IsMenu.USER32(?), ref: 007B3D24
CreatePopupMenu.USER32 ref: 007B3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007B3D5B
DrawMenuBar.USER32 ref: 007B3D63

Strings

F, xrefs: 007B3D4E
0, xrefs: 007B3C54

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 43f6ae1367fa81cb98d76e6f33958778218aabea7f57576b475f560fe1582553
Instruction ID: 2a2b538d99f8cbc4c103582629e288f53119d69b0d9c62fe5a8d67a25cf9b2e5
Opcode Fuzzy Hash: 43f6ae1367fa81cb98d76e6f33958778218aabea7f57576b475f560fe1582553
Instruction Fuzzy Hash: 5A416A75A01209EFDB24CF64D844FEA7BB5FF49350F148129F946A7360D778AA10CBA4

Function 00781EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00781F64
GetDlgCtrlID.USER32 ref: 00781F6F
GetParent.USER32 ref: 00781F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00781F8E
GetDlgCtrlID.USER32(?), ref: 00781F97
GetParent.USER32(?), ref: 00781FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00781FAE

Strings

ListBox, xrefs: 00781F21
ComboBox, xrefs: 00781EEC

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 803e703e8f449c3db9851f643a7584a3e80470227e9c624e0a50ff59c2b8b5de
Instruction ID: 51fd53e34d9d230efa793e7dc0bcc54147bacec62e9f66c5d471f6bd15fced5c
Opcode Fuzzy Hash: 803e703e8f449c3db9851f643a7584a3e80470227e9c624e0a50ff59c2b8b5de
Instruction Fuzzy Hash: 5321B374940118FBCF05AFA0DC49EEEBBB8AF09314F044155BA61672D1DB7C5905DB64

Function 00781FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00782043
GetDlgCtrlID.USER32 ref: 0078204E
GetParent.USER32 ref: 0078206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0078206D
GetDlgCtrlID.USER32(?), ref: 00782076
GetParent.USER32(?), ref: 0078208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0078208D

Strings

ListBox, xrefs: 00782002
ComboBox, xrefs: 00781FCD

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 8bd19c7573ebd6e5481ca98ec1c96d5cc50b17e02d2f3d0df0aeeef1a1bad6a9
Instruction ID: ff28828d6e32e2132c1c69e7f91e6ecef57f19df637ad352f03f86147cb343cc
Opcode Fuzzy Hash: 8bd19c7573ebd6e5481ca98ec1c96d5cc50b17e02d2f3d0df0aeeef1a1bad6a9
Instruction Fuzzy Hash: 782101B1D40218FBCF01BFA0DC89EEEBBB8EF08304F108056B951A31A2CA7D4905CB60

Function 007B3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007B3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007B3AA0
GetWindowLongW.USER32(?,000000F0), ref: 007B3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007B3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007B3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 007B3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 007B3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 007B3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 007B3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 007B3C13

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: c83e8f80e4d17892f3e604dc0f853260c54be5060168f47986c6f74956bac550
Instruction ID: 6a2e575dfcc5b177739557acef278f0f974829695d8de2aa08136a1c80e04996
Opcode Fuzzy Hash: c83e8f80e4d17892f3e604dc0f853260c54be5060168f47986c6f74956bac550
Instruction Fuzzy Hash: 83617A75900248EFDB10DFA8CC85FEE77B8EB09714F104199FA15A72A1C778AE85DB60

Function 0078B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0078B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B165
GetWindowThreadProcessId.USER32(00000000), ref: 0078B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0078B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0078A1E1,?,00000001), ref: 0078B21D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 1727c230e202a32b53f0527d427fc6a56c4a036354d431cee084db40deb2fd20
Instruction ID: 76dc437e5c294199c0ebfbe3b3e937edff098675fca1c0393fd6b68ece378176
Opcode Fuzzy Hash: 1727c230e202a32b53f0527d427fc6a56c4a036354d431cee084db40deb2fd20
Instruction Fuzzy Hash: 0B3171B5980208BFDB11AF64DC49F7D7BAABB51315F10C116FA05DA190DBBCAA40CF68

Function 00752C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00752C94

Part of subcall function 007529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000), ref: 007529DE
Part of subcall function 007529C8: GetLastError.KERNEL32(00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000,00000000), ref: 007529F0

_free.LIBCMT ref: 00752CA0
_free.LIBCMT ref: 00752CAB
_free.LIBCMT ref: 00752CB6
_free.LIBCMT ref: 00752CC1
_free.LIBCMT ref: 00752CCC
_free.LIBCMT ref: 00752CD7
_free.LIBCMT ref: 00752CE2
_free.LIBCMT ref: 00752CED
_free.LIBCMT ref: 00752CFB

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a1b3dfc703f5f652365997941f5cce8c536b321c477286a7d9d93dfcf21475a2
Instruction ID: e5aee6e9c921b72c07c088c810b14150c61c11a65832d5168619c94e51f320d4
Opcode Fuzzy Hash: a1b3dfc703f5f652365997941f5cce8c536b321c477286a7d9d93dfcf21475a2
Instruction Fuzzy Hash: 9E11AF76100108EFCB02EF54D886CDD3BA5BF06351F9144A4FA48AB232DB75EA559B90

Function 00797DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00797FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00797FC1
GetFileAttributesW.KERNEL32(?), ref: 00797FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00798005
SetCurrentDirectoryW.KERNEL32(?), ref: 00798017
SetCurrentDirectoryW.KERNEL32(?), ref: 00798060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007980B0

Strings

*.*, xrefs: 00798066

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 2a9749bafaa3d4943602a2b98adf224319229eb4f77ef4c93e72c6ccf5365ab7
Instruction ID: 1c3d0ae2e3abe1a288a9a5aaa658e3a623b439193199f95fdf8c1fc1f760c722
Opcode Fuzzy Hash: 2a9749bafaa3d4943602a2b98adf224319229eb4f77ef4c93e72c6ccf5365ab7
Instruction Fuzzy Hash: 4E819172518245DBCF28EF14D845AAEB3E8BF89310F58485EF885D7250EB38DD45CB92

Function 00725BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00725C7A

Part of subcall function 00725D0A: GetClientRect.USER32(?,?), ref: 00725D30
Part of subcall function 00725D0A: GetWindowRect.USER32(?,?), ref: 00725D71
Part of subcall function 00725D0A: ScreenToClient.USER32(?,?), ref: 00725D99

GetDC.USER32 ref: 007646F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00764708
SelectObject.GDI32(00000000,00000000), ref: 00764716
SelectObject.GDI32(00000000,00000000), ref: 0076472B
ReleaseDC.USER32(?,00000000), ref: 00764733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007647C4

Strings

U, xrefs: 00764693

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 17c09dc52d8434eb14964c770349f639bbe596f71f7e0508885e47472c35b0f2
Instruction ID: 1f7dad4f0522ba4aec1e692f8977925250383fdd23d812f0e79e9e7027e680cd
Opcode Fuzzy Hash: 17c09dc52d8434eb14964c770349f639bbe596f71f7e0508885e47472c35b0f2
Instruction Fuzzy Hash: 5271E131400205DFCF21CF64C984AFA3BB6FF4A364F148269ED565A1A6D7399C81DF60

Function 0079359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007935E4

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

LoadStringW.USER32(007F2390,?,00000FFF,?), ref: 0079360A

Strings

^ ERROR, xrefs: 007936C9
Line %d (File "%s"):, xrefs: 0079366B
Error: , xrefs: 007936EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00793724
"%s" (%d) : ==> %s:, xrefs: 00793742

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 212888266b241c6a96cbf2dae4ef8e782650cf402470d098b78f5ec7f1fb5257
Instruction ID: bd718e7f3b9bfc2c99c02765a21798afefe6bcc624c7712cd9b224ac55298390
Opcode Fuzzy Hash: 212888266b241c6a96cbf2dae4ef8e782650cf402470d098b78f5ec7f1fb5257
Instruction Fuzzy Hash: 08516EB1800259FADF15EBE0EC8AEEDBB74AF14340F184125F205720A2DB391B98DF61

Function 0079C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0079C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0079C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0079C2CA
GetLastError.KERNEL32 ref: 0079C322
SetEvent.KERNEL32(?), ref: 0079C336
InternetCloseHandle.WININET(00000000), ref: 0079C341

Strings

, xrefs: 0079C2BB

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 11ac72216aa7046e48b7dff52ee4e9c8b8e75b385c7f5924b125207748e2e17a
Instruction ID: 7ca3da7115d943ef4476bcbbb471c416cc6d829be2b24a85d047ebc5ed288e0d
Opcode Fuzzy Hash: 11ac72216aa7046e48b7dff52ee4e9c8b8e75b385c7f5924b125207748e2e17a
Instruction Fuzzy Hash: A4317CB1600208AFDF229F64AC88EAB7BFCEB49744F14851EF446D2200DB38DD049B66

Function 0078989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00763AAF,?,?,Bad directive syntax error,007BCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007898BC
LoadStringW.USER32(00000000,?,00763AAF,?), ref: 007898C3

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00789987

Strings

., xrefs: 0078996D
Line %d (File "%s"):, xrefs: 0078992D
Error: , xrefs: 00789955
Line %d:, xrefs: 00789912
%s (%d) : ==> %s.: %s %s, xrefs: 007898F1

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 8cc938f0b73ebc5277de5f596283e0aeb8b0e2d033394567dc3f2237739d9fcb
Instruction ID: 4244b63c9be1f225169f5a6c721048a0cea4fa5c47db67df716482dd29e63aa3
Opcode Fuzzy Hash: 8cc938f0b73ebc5277de5f596283e0aeb8b0e2d033394567dc3f2237739d9fcb
Instruction Fuzzy Hash: 4C218271C4025DEBDF12EF90DC0AEED7735BF18340F084425F615610A2DB79A618DB20

Function 0078209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007820AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007820C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0078214D

Strings

largeicons, xrefs: 007820E1
SHELLDLL_DefView, xrefs: 007820CC
list, xrefs: 0078212F
details, xrefs: 007820FB
smallicons, xrefs: 00782115

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 77df9ef017bc63558bdddb24340e6549ae2c4da542b5ce3639f0e1997a314e7f
Instruction ID: 1710872383be3d1b12360def64a39db7e4afbb3c39cebb74267148f7aade0297
Opcode Fuzzy Hash: 77df9ef017bc63558bdddb24340e6549ae2c4da542b5ce3639f0e1997a314e7f
Instruction Fuzzy Hash: 5F11A7B6AC470AFAF60176259C0EEA6379CDB09729B304116F704A51D2FAAD58425714

Function 0075CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0075CEB7
_free.LIBCMT ref: 0075CF22
_free.LIBCMT ref: 0075CF48
_free.LIBCMT ref: 0075CF71
_free.LIBCMT ref: 0075CFA9
_free.LIBCMT ref: 0075CFDA
_free.LIBCMT ref: 0075D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0075D09C
_free.LIBCMT ref: 0075D0B5

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 3e79dee993b28fb51388479743162ebdafe8355bfbc1ed580950f026cf8aa971
Instruction ID: aaa5c89a0f6c42d31aa2669ba978f0fb33a760c492dc4703498e9db3599f3665
Opcode Fuzzy Hash: 3e79dee993b28fb51388479743162ebdafe8355bfbc1ed580950f026cf8aa971
Instruction Fuzzy Hash: AE61F772A04304AFDB32AFB49845BED7BA5AF05312F04416DED44A72C2D7BD9D09C790

Function 007B50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 007B5186
ShowWindow.USER32(?,00000000), ref: 007B51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007B51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007B51D1

Part of subcall function 007B6FBA: DeleteObject.GDI32(00000000), ref: 007B6FE6

GetWindowLongW.USER32(?,000000F0), ref: 007B520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007B521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007B524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 007B5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 007B5296

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 8916785aae84100497b0b013da880c32a467e6992bf3773c2902cc0aa33d79bd
Instruction ID: 1738c9c485b7607fe10417ce0df08eb5afcf96ef043af6f7dba92df4a8fa5f39
Opcode Fuzzy Hash: 8916785aae84100497b0b013da880c32a467e6992bf3773c2902cc0aa33d79bd
Instruction Fuzzy Hash: B5519B70A42A0CFFEF259F28DC4AFD83B65BB05321F148112F625962E1C7BDA980DB41

Function 00738B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00776890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007768A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007768B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007768D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007768F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00738874,00000000,00000000,00000000,000000FF,00000000), ref: 00776901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0077691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00738874,00000000,00000000,00000000,000000FF,00000000), ref: 0077692D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 3a75bf5c8a36453edae5c80440bc1c5e31184c89cea737aef958f679b19dd2e2
Instruction ID: bcc7254d6a7e5c6eedefbd87d19c2c9c27660bedacf6441076ef161b1659cfbf
Opcode Fuzzy Hash: 3a75bf5c8a36453edae5c80440bc1c5e31184c89cea737aef958f679b19dd2e2
Instruction Fuzzy Hash: 4E516BB060070AEFEB20CF24CC55FAA7BB5EF48760F148518FA56972A0DB78E950DB50

Function 0079C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0079C182
GetLastError.KERNEL32 ref: 0079C195
SetEvent.KERNEL32(?), ref: 0079C1A9

Part of subcall function 0079C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0079C272
Part of subcall function 0079C253: GetLastError.KERNEL32 ref: 0079C322
Part of subcall function 0079C253: SetEvent.KERNEL32(?), ref: 0079C336
Part of subcall function 0079C253: InternetCloseHandle.WININET(00000000), ref: 0079C341

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 58c8c2fefe0d19242dfffb97260cf709defa9cd32081e14bd7ea5231fbb54849
Instruction ID: f59ebac94774305581382e10b08f5d0a85001172e356f89b44c67f5e50e602d4
Opcode Fuzzy Hash: 58c8c2fefe0d19242dfffb97260cf709defa9cd32081e14bd7ea5231fbb54849
Instruction Fuzzy Hash: DC318B71200705EFDF229FA5EC48AA6BBF9FF58300B14852DF95687610DB38E814DBA0

Function 007825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00783A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00783A57
Part of subcall function 00783A3D: GetCurrentThreadId.KERNEL32 ref: 00783A5E
Part of subcall function 00783A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007825B3), ref: 00783A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007825BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007825DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007825DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007825E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00782601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00782605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0078260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00782623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00782627

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: afb610a5c9adc95a2926714fa319c3552b4c7f197da74ad18783097966c5b322
Instruction ID: 1b2d567fd798b078e3c6fbe67abbc196d2c2efe3c43b054ebe4188e68808bf08
Opcode Fuzzy Hash: afb610a5c9adc95a2926714fa319c3552b4c7f197da74ad18783097966c5b322
Instruction Fuzzy Hash: 6901D4703D0218BBFB1077689C8EF593F59DB4EB12F108142F358AE0D1C9FA28458A6E

Function 00781803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00781449,?,?,00000000), ref: 0078180C
HeapAlloc.KERNEL32(00000000,?,00781449,?,?,00000000), ref: 00781813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00781449,?,?,00000000), ref: 00781828
GetCurrentProcess.KERNEL32(?,00000000,?,00781449,?,?,00000000), ref: 00781830
DuplicateHandle.KERNEL32(00000000,?,00781449,?,?,00000000), ref: 00781833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00781449,?,?,00000000), ref: 00781843
GetCurrentProcess.KERNEL32(00781449,00000000,?,00781449,?,?,00000000), ref: 0078184B
DuplicateHandle.KERNEL32(00000000,?,00781449,?,?,00000000), ref: 0078184E
CreateThread.KERNEL32(00000000,00000000,00781874,00000000,00000000,00000000), ref: 00781868

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f25cf4c25217fb2455fab9c5d59c4a66e7a1f0da94ef715cbca7cd2dd5b76d42
Instruction ID: 444db369636bcb4f440d7d91ca61c97e792ff0c30c4d8f3dcd8c0af17166bc9b
Opcode Fuzzy Hash: f25cf4c25217fb2455fab9c5d59c4a66e7a1f0da94ef715cbca7cd2dd5b76d42
Instruction Fuzzy Hash: 2C01ACB524030CBFE611AFA5DC4AF573BACEB89B11F41C511FA05EB191C67498008B24

Function 00753E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00753F0B
__alldvrm.LIBCMT ref: 0075410C
__alldvrm.LIBCMT ref: 0075412E

Strings

}}t, xrefs: 007540CD
}}t, xrefs: 00753E8A
}}t, xrefs: 00753E96, 00753EF1, 00753F0A, 00754090

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}t$}}t$}}t
API String ID: 1036877536-86296138
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 0b20ee78428c7639822370cb9d455256695bedee26db96aaf42c1bcaec9b85ab
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 35A16B72E007869FE711CF18C8817EEBBE4EF61395F2841ADED459B281C2BC8989C750

Function 007AA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0078D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0078D501
Part of subcall function 0078D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0078D50F
Part of subcall function 0078D4DC: CloseHandle.KERNELBASE(00000000), ref: 0078D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 007AA16D
GetLastError.KERNEL32 ref: 007AA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 007AA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 007AA268
GetLastError.KERNEL32(00000000), ref: 007AA273
CloseHandle.KERNEL32(00000000), ref: 007AA2C4

Strings

SeDebugPrivilege, xrefs: 007AA18F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 553690606925c80c46513ded22e9bb286eb6fe9490c048e8febefe076ea047c6
Instruction ID: 7f2d997d5d91a41dd767a9f00150da22114cd2b4c2e6b3a7deba528c5f292968
Opcode Fuzzy Hash: 553690606925c80c46513ded22e9bb286eb6fe9490c048e8febefe076ea047c6
Instruction Fuzzy Hash: 9361AF71204242AFD721DF18C498F1ABBE1AF95318F18C59CE4568B7A3C77AEC45CB92

Function 007B3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007B3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 007B393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007B3954
_wcslen.LIBCMT ref: 007B3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007B39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007B39F4

Strings

SysListView32, xrefs: 007B38F7

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 180acf57b25f244aa8f518c05cc6ac325330fc64409ddfea726983310df98324
Instruction ID: 4c46dec969999a4a7cd2478faa1671457bf2afecf9d97b73718d60da9a6dd654
Opcode Fuzzy Hash: 180acf57b25f244aa8f518c05cc6ac325330fc64409ddfea726983310df98324
Instruction Fuzzy Hash: 5141B771A00319EBEF219F64CC49FEA77A9EF08354F104566F958E7281D7B9AD80CB90

Function 0078BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0078BCFD
IsMenu.USER32(00000000), ref: 0078BD1D
CreatePopupMenu.USER32 ref: 0078BD53
GetMenuItemCount.USER32(010577A8), ref: 0078BDA4
InsertMenuItemW.USER32(010577A8,?,00000001,00000030), ref: 0078BDCC

Strings

2, xrefs: 0078BD37
0, xrefs: 0078BCA8

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 9f5ba5ecf993527b6aa3029c94c9e9c343235e8184627a6527471ac18822bc7c
Instruction ID: 77f4bd88fee6a8185eaa8cf90c9a02b7172198138dcbc2564b091dd3a633f487
Opcode Fuzzy Hash: 9f5ba5ecf993527b6aa3029c94c9e9c343235e8184627a6527471ac18822bc7c
Instruction Fuzzy Hash: 3A51D070B40205EBDF21EFA8D888BAEBBF4BF45324F248219E411D7291D778A945CB71

Function 00742D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00742D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00742D53
_ValidateLocalCookies.LIBCMT ref: 00742DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00742E0C
_ValidateLocalCookies.LIBCMT ref: 00742E61

Strings

&Ht, xrefs: 00742DFE, 00742E07, 00742E18
csm, xrefs: 00742DF6

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Ht$csm
API String ID: 1170836740-1510349557
Opcode ID: b435ad77a395d11f0b4a149c7be0c280beaccd5c27294a9bbfffa0e7b581ec6c
Instruction ID: 8520967a8038174d6dfc3cd88d2f9c731ab929c932172edf729b90b5e652c50c
Opcode Fuzzy Hash: b435ad77a395d11f0b4a149c7be0c280beaccd5c27294a9bbfffa0e7b581ec6c
Instruction Fuzzy Hash: 67418334E00219EBCF14DF68C849A9EBBA5BF44324F548155F815AB253D7399A26CFD0

Function 0078C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0078C913

Strings

info, xrefs: 0078C8B4
question, xrefs: 0078C8CC
blank, xrefs: 0078C895
stop, xrefs: 0078C8E4
warning, xrefs: 0078C8FC

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f1bce1b8ff60579d04f34bb9574d4f944de50256a007a7f85c3e024f05918a1b
Instruction ID: 275f59c14402f75787acc01a841c9de431d7ac4b45b9fbdee57815b336b50a50
Opcode Fuzzy Hash: f1bce1b8ff60579d04f34bb9574d4f944de50256a007a7f85c3e024f05918a1b
Instruction Fuzzy Hash: CE110D317C9746BEE7027B559C83DAA679CDF25364B20406BF500B6282E77C6E405379

Function 0078DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0078DE42
gethostname.WSOCK32(?,00000100), ref: 0078DE5C
gethostbyname.WSOCK32(?), ref: 0078DE69
inet_ntoa.WSOCK32(?), ref: 0078DEAB
_strcat.LIBCMT ref: 0078DEB9
WSACleanup.WSOCK32 ref: 0078DEDE

Strings

0.0.0.0, xrefs: 0078DE87

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 382e402ec9ebed0a00446f9a6e81e01e9ec14caaa816b16eec0bd814ba8baac4
Instruction ID: c61f43a55b8eea64ca71020d246f5ffba9f85f3219a12365f25dee700164f1e3
Opcode Fuzzy Hash: 382e402ec9ebed0a00446f9a6e81e01e9ec14caaa816b16eec0bd814ba8baac4
Instruction Fuzzy Hash: 2211E1B1944114ABDB31BB249C4EEEE77ACDB14710F0042A9F545AA091EF7C9E819B60

Function 007B9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

GetSystemMetrics.USER32(0000000F), ref: 007B9FC7
GetSystemMetrics.USER32(0000000F), ref: 007B9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007BA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007BA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007BA263
ShowWindow.USER32(00000003,00000000), ref: 007BA282
InvalidateRect.USER32(?,00000000,00000001), ref: 007BA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 007BA2CA

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: ef83dad963a27d7819882bf6fa26a0e99f18f18e173cc2af3abe2b15a0c23b7f
Instruction ID: 37c2d730e4a44ae3c9883fff7f652b4f8be9c63a29d8d2c3fe4a219825a6a210
Opcode Fuzzy Hash: ef83dad963a27d7819882bf6fa26a0e99f18f18e173cc2af3abe2b15a0c23b7f
Instruction Fuzzy Hash: A8B1A931600219EFDF14DF68C989BEA3BB2BF88701F08C069ED459B295D739A940CB51

Function 0078ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0078ED2A
_wcslen.LIBCMT ref: 0078ED3B
_wcslen.LIBCMT ref: 0078ED79
_wcslen.LIBCMT ref: 0078EDAF
_wcslen.LIBCMT ref: 0078EDDF
_wcslen.LIBCMT ref: 0078EDEF
_wcslen.LIBCMT ref: 0078EE2B
_wcslen.LIBCMT ref: 0078EE5A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 018785979d2dc84fde5ab56a04416fe4740a6c1ebd78a56df7f71e0a8463548a
Instruction ID: 571b2e75465c340810d79e8351570e15e728104464bfdd2c85634f543bbf47a1
Opcode Fuzzy Hash: 018785979d2dc84fde5ab56a04416fe4740a6c1ebd78a56df7f71e0a8463548a
Instruction Fuzzy Hash: 95419366C10218B5DB11FBF4888EACFB7A8AF45710F508562E514F3122FB38E655C3A6

Function 0073F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0077682C,00000004,00000000,00000000), ref: 0073F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0077682C,00000004,00000000,00000000), ref: 0077F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0077682C,00000004,00000000,00000000), ref: 0077F454

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 787731a7b0421b7a5ebdf590620dc5ce21a747edea14f759350c20f9ed6d9e3d
Instruction ID: 7e5c37f3bb2d3b3808e4c69d1477b63010db65524b133f3d221a44e14146b1b1
Opcode Fuzzy Hash: 787731a7b0421b7a5ebdf590620dc5ce21a747edea14f759350c20f9ed6d9e3d
Instruction Fuzzy Hash: 9141EB31904680FFEB359B298988B7A7B91AF563A4F14C53CE04BD6662C67DB880C711

Function 007B2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007B2D1B
GetDC.USER32(00000000), ref: 007B2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007B2D2E
ReleaseDC.USER32(00000000,00000000), ref: 007B2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007B2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007B2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007B5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 007B2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007B2DE1

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9fd22ca21511447f562bd1c05631854b15189a70388a5a46d48bb4d890d630ea
Instruction ID: 63ff16b98a27a6efd8284a251588f4b744320b0dc790b6a1e40ff34477ebd2ae
Opcode Fuzzy Hash: 9fd22ca21511447f562bd1c05631854b15189a70388a5a46d48bb4d890d630ea
Instruction Fuzzy Hash: 7A317C72201214BFEB158F54CC8AFEB3BADEF49715F048155FE089A291C6799C51CBB4

Function 00785622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00785637
_memcmp.LIBVCRUNTIME ref: 00785659
_memcmp.LIBVCRUNTIME ref: 00785671
_memcmp.LIBVCRUNTIME ref: 00785684
_memcmp.LIBVCRUNTIME ref: 0078569E
_memcmp.LIBVCRUNTIME ref: 007856B1
_memcmp.LIBVCRUNTIME ref: 007856C9
_memcmp.LIBVCRUNTIME ref: 007856E4

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f13ac2a0b8fad4d0e4763e16a8f00779fd2859e5bd3dddfc881a08a602fcc419
Instruction ID: 59420ea1c0f3ea72afa94706da5c2025f2c87428eac55b5af9e54eb295dd8be9
Opcode Fuzzy Hash: f13ac2a0b8fad4d0e4763e16a8f00779fd2859e5bd3dddfc881a08a602fcc419
Instruction Fuzzy Hash: 3521C6B17D0A09BBD6147A208E86FFB335CAF21B94F844020FD049A681F72DED5183B9

Function 007A4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 007A502E, 007A5383
Not an Object type, xrefs: 007A5007

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 8dca6ef9b4c99b4f627f89f88c706d8e21aa2df6293b06f54280c1a1519a6aea
Instruction ID: 4ed23c5628f3587228b315e64c7416f7008e24e8c4114f3114c545e0bb5ae0a3
Opcode Fuzzy Hash: 8dca6ef9b4c99b4f627f89f88c706d8e21aa2df6293b06f54280c1a1519a6aea
Instruction Fuzzy Hash: 5ED1D571A0060A9FDF10CFA8C885FAEB7B5FF89344F148269E915AB281E774DD45CB90

Function 00761522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 007615CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00761651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007616E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 007616FB

Part of subcall function 00753820: RtlAllocateHeap.NTDLL(00000000,?,007F1444,?,0073FDF5,?,?,0072A976,00000010,007F1440,007213FC,?,007213C6,?,00721129), ref: 00753852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00761777
__freea.LIBCMT ref: 007617A2
__freea.LIBCMT ref: 007617AE

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2b4cc3fdd5dbd0286b0e41d1923f8d258b17bb688b2cebfa4848967705dd78ec
Instruction ID: 81f6125f09f286949c74203ab88e68fb6067ac912db1a60338c995ae543d079f
Opcode Fuzzy Hash: 2b4cc3fdd5dbd0286b0e41d1923f8d258b17bb688b2cebfa4848967705dd78ec
Instruction Fuzzy Hash: DB91A271E0021A9ADB218E74CC99AEEBBB5AF49310F9C4659EC03E7151DB3DDD44CBA0

Function 007A4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007A4648
VariantInit.OLEAUT32(?), ref: 007A4749
VariantClear.OLEAUT32(?), ref: 007A4753
VariantClear.OLEAUT32(?), ref: 007A47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 007A472C
Null Object assignment in FOR..IN loop, xrefs: 007A45D8, 007A4706, 007A47BE

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 1af7cba3807ce7fe30e422b2f9d83f98a991803aa0634a1dc550cd85c08e8868
Instruction ID: e58512cd4526bf6a018c6c117d8c4f55c443b3cf1b1a067a982e2f056e20b4d3
Opcode Fuzzy Hash: 1af7cba3807ce7fe30e422b2f9d83f98a991803aa0634a1dc550cd85c08e8868
Instruction Fuzzy Hash: 3291B371A00215EBDF24CFA5CC48FAE7BB8EFC6710F108259F505AB281D7B99941CBA0

Function 00791187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0079125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00791284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007912A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007912D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0079135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007913C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00791430

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: f5fa7e7b777c37b7cc49730bc3e2ce8d70b3d279224257824126a5acce246865
Instruction ID: 48c32d7a6b02094bde78717c9d23b941c28cfe1b09463a6d5743364e6985da64
Opcode Fuzzy Hash: f5fa7e7b777c37b7cc49730bc3e2ce8d70b3d279224257824126a5acce246865
Instruction Fuzzy Hash: 5A91C175A0021AAFDF01DF94E889BBE77B5FF45325F508029E900EB291D77CA951CB90

Function 0073948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6b4d6fa4ce1ded5a2d2bcdd09feaf323784cc2152745e226a33726d83a867006
Instruction ID: cda3f06f8a79ba974b10cdae8f16f46841bc2ccdf9f30e3a0ee981f282effe2f
Opcode Fuzzy Hash: 6b4d6fa4ce1ded5a2d2bcdd09feaf323784cc2152745e226a33726d83a867006
Instruction Fuzzy Hash: 93914971D00219EFDB15CFA9CC88AEEBBB8FF48320F148155E515B7292D378A991CB60

Function 007A3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007A396B
CharUpperBuffW.USER32(?,?), ref: 007A3A7A
_wcslen.LIBCMT ref: 007A3A8A
VariantClear.OLEAUT32(?), ref: 007A3C1F

Part of subcall function 00790CDF: VariantInit.OLEAUT32(00000000), ref: 00790D1F
Part of subcall function 00790CDF: VariantCopy.OLEAUT32(?,?), ref: 00790D28
Part of subcall function 00790CDF: VariantClear.OLEAUT32(?), ref: 00790D34

Strings

Incorrect Parameter format, xrefs: 007A39A6, 007A3BA1
AUTOIT.ERROR, xrefs: 007A3A80, 007A3A85

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 9d2fcee85345da94d3e8502b6a142fa017c36a5f12951e780ec91dca5ea2e72f
Instruction ID: c96623a931e033c13835b18f27b7a5466119019b5e09280d084aadf4b1a5cb17
Opcode Fuzzy Hash: 9d2fcee85345da94d3e8502b6a142fa017c36a5f12951e780ec91dca5ea2e72f
Instruction Fuzzy Hash: AC915574A08345DFC704EF24C48496AB7E5BF89314F148A2DF88A9B351DB38EE05CB92

Function 007A4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0078000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?,?,0078035E), ref: 0078002B
Part of subcall function 0078000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?), ref: 00780046
Part of subcall function 0078000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?), ref: 00780054
Part of subcall function 0078000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?), ref: 00780064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 007A4C51
_wcslen.LIBCMT ref: 007A4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 007A4DCF
CoTaskMemFree.OLE32(?), ref: 007A4DDA

Strings

NULL Pointer assignment, xrefs: 007A4E23, 007A4E52

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a5588060f6081f1993898fc73178940c5f32158e12ed8d93f7daae4ebd54665d
Instruction ID: 59537cfa370cd70910058b4b26ae49ec779ab7c7af7dfbc49cfa931d901f1d0d
Opcode Fuzzy Hash: a5588060f6081f1993898fc73178940c5f32158e12ed8d93f7daae4ebd54665d
Instruction Fuzzy Hash: 67913971D0022DEFDF14DFA4D884AEEB7B8BF49310F108269E915A7241DB795A44CFA0

Function 007B20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007B2183
GetMenuItemCount.USER32(00000000), ref: 007B21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007B21DD
_wcslen.LIBCMT ref: 007B2213
GetMenuItemID.USER32(?,?), ref: 007B224D
GetSubMenu.USER32(?,?), ref: 007B225B

Part of subcall function 00783A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00783A57
Part of subcall function 00783A3D: GetCurrentThreadId.KERNEL32 ref: 00783A5E
Part of subcall function 00783A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007825B3), ref: 00783A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007B22E3

Part of subcall function 0078E97B: Sleep.KERNEL32 ref: 0078E9F3

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 1ae4b068d33d70e897fd33241bded92000d7bcb282435af5d89b603f36955b1c
Instruction ID: 2aafed275a45d65c6b27eb73b98222cb64bf5ca7adc66224aed34974c08c399e
Opcode Fuzzy Hash: 1ae4b068d33d70e897fd33241bded92000d7bcb282435af5d89b603f36955b1c
Instruction Fuzzy Hash: AB714C75A00219EFCB15EF68C845BEEB7F5BF48310F158459E816EB352DB38AD428B90

Function 007B7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01057820), ref: 007B7F37
IsWindowEnabled.USER32(01057820), ref: 007B7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 007B801E
SendMessageW.USER32(01057820,000000B0,?,?), ref: 007B8051
IsDlgButtonChecked.USER32(?,?), ref: 007B8089
GetWindowLongW.USER32(01057820,000000EC), ref: 007B80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007B80C3

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: c08524028c94720b20de3ab823e48027e389d8f14d4f3d2c65c12dc7fb1ca0fa
Instruction ID: 8defdec4fcd6360440e0220c67cb78085a344b3d00c2c5b11a21f293161136a8
Opcode Fuzzy Hash: c08524028c94720b20de3ab823e48027e389d8f14d4f3d2c65c12dc7fb1ca0fa
Instruction Fuzzy Hash: 7E71B034609204EFEB29DF54CC94FFABBB9EF49340F144499F945972A1CB39A846CB14

Function 0078AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0078AEF9
GetKeyboardState.USER32(?), ref: 0078AF0E
SetKeyboardState.USER32(?), ref: 0078AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0078AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0078AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0078AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0078B020

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e9b133c763a1a9d0613380ca62e75a777083e42f56f60d811e6742e0420b6d63
Instruction ID: 6c38018d61786a148ecff2977c8ef4a87ce658d81615273a840021583bdb9a8c
Opcode Fuzzy Hash: e9b133c763a1a9d0613380ca62e75a777083e42f56f60d811e6742e0420b6d63
Instruction Fuzzy Hash: 6151F4A06847D53DFB3762348C49BBABEE95B06304F08858AE2D9954C2D3DCECD4D751

Function 0078ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0078AD19
GetKeyboardState.USER32(?), ref: 0078AD2E
SetKeyboardState.USER32(?), ref: 0078AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0078ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0078ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0078AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0078AE38

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9098567c04c3bf6a27a18e879dd233bceabe55c92f2e3e6b8ffb590939ed35c8
Instruction ID: 81d1e9c31193449cc3bad31743ea78325b013885ae3a934f910ecc42d792ee2f
Opcode Fuzzy Hash: 9098567c04c3bf6a27a18e879dd233bceabe55c92f2e3e6b8ffb590939ed35c8
Instruction Fuzzy Hash: 5751F9A16847D53DFB37A3348C56B7ABE986B45301F08898AE1D5868C3D39CEC84D762

Function 0075542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00763CD6,?,?,?,?,?,?,?,?,00755BA3,?,?,00763CD6,?,?), ref: 00755470
__fassign.LIBCMT ref: 007554EB
__fassign.LIBCMT ref: 00755506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00763CD6,00000005,00000000,00000000), ref: 0075552C
WriteFile.KERNEL32(?,00763CD6,00000000,00755BA3,00000000,?,?,?,?,?,?,?,?,?,00755BA3,?), ref: 0075554B
WriteFile.KERNEL32(?,?,00000001,00755BA3,00000000,?,?,?,?,?,?,?,?,?,00755BA3,?), ref: 00755584

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9c600777bf0be978f425cef61f8ee0ac3afeaca624b1d442ea5a9bcf592e3c01
Instruction ID: 5928705cd9eda42ea91fe13c173679e5d9e46dae4ee6ab206ee41f8a217e0748
Opcode Fuzzy Hash: 9c600777bf0be978f425cef61f8ee0ac3afeaca624b1d442ea5a9bcf592e3c01
Instruction Fuzzy Hash: F05117B09006489FCB10CFA8D855AEEBBF6EF08301F14411AF945E3291E7749A55CB60

Function 007A10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007A304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007A307A
Part of subcall function 007A304E: _wcslen.LIBCMT ref: 007A309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007A1112
WSAGetLastError.WSOCK32 ref: 007A1121
WSAGetLastError.WSOCK32 ref: 007A11C9
closesocket.WSOCK32(00000000), ref: 007A11F9

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 5b8a6673c6a66f588a3968d7de3c453e2ff47facd7c8e8d3b5b2424373af58e4
Instruction ID: fe31dd9cf1fd5373e017f0a13c10afd7367773765b8707dc5d4d0c060a07b797
Opcode Fuzzy Hash: 5b8a6673c6a66f588a3968d7de3c453e2ff47facd7c8e8d3b5b2424373af58e4
Instruction Fuzzy Hash: CE412531200218AFEB119F14C888BAAB7E9EF86324F14C259FD059B291D778ED41CBE1

Function 0078CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0078CF22,?), ref: 0078DDFD

Part of subcall function 0078DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0078CF22,?), ref: 0078DE16

lstrcmpiW.KERNEL32(?,?), ref: 0078CF45
MoveFileW.KERNEL32(?,?), ref: 0078CF7F
_wcslen.LIBCMT ref: 0078D005
_wcslen.LIBCMT ref: 0078D01B
SHFileOperationW.SHELL32(?), ref: 0078D061

Strings

\*.*, xrefs: 0078CFF3

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 79549c03d92698338081e1a72f394aa4375c7adba3bb0381937c1d43f92136ab
Instruction ID: 099215e34638f7141786c5868e12c02cabc87e7eea6892bc13cf71609aa75838
Opcode Fuzzy Hash: 79549c03d92698338081e1a72f394aa4375c7adba3bb0381937c1d43f92136ab
Instruction Fuzzy Hash: 1F4137729452189FDF13FBA4D985EDEB7B9AF08340F1440E6E605EB141EB38AA44CF60

Function 007B2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 007B2E1C
GetWindowLongW.USER32(?,000000F0), ref: 007B2E4F
GetWindowLongW.USER32(?,000000F0), ref: 007B2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 007B2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 007B2EE0
GetWindowLongW.USER32(?,000000F0), ref: 007B2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007B2F0B

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fd4891c85bd576f11b651be26609e207249e66fc1ecb0f8d0609ff8f7923a696
Instruction ID: cf8fe9bb766b8d622de2d97ff344467a4366ae5d97d09813d9a79dea9a1922c2
Opcode Fuzzy Hash: fd4891c85bd576f11b651be26609e207249e66fc1ecb0f8d0609ff8f7923a696
Instruction Fuzzy Hash: 5F31F430606190EFDB22CF59DC88FA537E5EB5A710F1581A4F900CB2B2CBB9E841DB55

Function 00787726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00787769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0078778F
SysAllocString.OLEAUT32(00000000), ref: 00787792
SysAllocString.OLEAUT32(?), ref: 007877B0
SysFreeString.OLEAUT32(?), ref: 007877B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007877DE
SysAllocString.OLEAUT32(?), ref: 007877EC

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3247bd53da60ec2e19d59dd41cabfed9c6c25b8bb670fe7a3e770a8f7aa7b240
Instruction ID: 73947a9645392c096769afb95705e67de38fdfbb161256064a47e535fb3d885c
Opcode Fuzzy Hash: 3247bd53da60ec2e19d59dd41cabfed9c6c25b8bb670fe7a3e770a8f7aa7b240
Instruction Fuzzy Hash: AD210376608209AFDF00EFA8CC88DBB77ACEB08364B10C125FA06DB250D678DD41C764

Function 007877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00787842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00787868
SysAllocString.OLEAUT32(00000000), ref: 0078786B
SysAllocString.OLEAUT32 ref: 0078788C
SysFreeString.OLEAUT32 ref: 00787895
StringFromGUID2.OLE32(?,?,00000028), ref: 007878AF
SysAllocString.OLEAUT32(?), ref: 007878BD

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1ff4dc50e90a24756f50773f3fae69ea0475657a63fb89e183d9830a766b8b51
Instruction ID: 0907d0e63c5118ba457fbee59bec894a83069a572c60b5dc7210c47b20bf48af
Opcode Fuzzy Hash: 1ff4dc50e90a24756f50773f3fae69ea0475657a63fb89e183d9830a766b8b51
Instruction Fuzzy Hash: 51217471648204AFDB14AFA8DC8CDAA77ECEB09760720C125F915CB2A1DA78DD41CB74

Function 007904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007904F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0079052E

Strings

nul, xrefs: 00790567

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: e9c81b1d10bbd9b5f11fa8a414b654f0abda017f2c18073d46cfcb480557a732
Instruction ID: 15bababe178df5ab0c7813babfb41d344cc8e46e18db72475c1ad4c4b0140776
Opcode Fuzzy Hash: e9c81b1d10bbd9b5f11fa8a414b654f0abda017f2c18073d46cfcb480557a732
Instruction Fuzzy Hash: F8218071510305AFDF209F29EC08E9A77B8BF44724F618A29F8A1D72E0D7749960CFA0

Function 007905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007905C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00790601

Strings

nul, xrefs: 00790639

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2af71c4cfb5090fdf6bb524e756541f145176be8d031dffbeaba912f2857be0a
Instruction ID: 44129fb7c13cdbcf9ad0d7eff8d66ccb623264f3c3c4bb1ad14fa8f83c19a34e
Opcode Fuzzy Hash: 2af71c4cfb5090fdf6bb524e756541f145176be8d031dffbeaba912f2857be0a
Instruction Fuzzy Hash: C92181755103059FDF209F69AC08E9A77E8BF95720F204B19F8A1E72E0D7749960CBA4

Function 007B40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0072600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0072604C
Part of subcall function 0072600E: GetStockObject.GDI32(00000011), ref: 00726060
Part of subcall function 0072600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0072606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007B4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007B411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007B412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007B4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007B4145

Strings

Msctls_Progress32, xrefs: 007B40E3

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 2362430c1cca439768a530c5a4284f2fbff27d597b6dd47f20408378d1c52be9
Instruction ID: 24f8b63a49e8956172b17104e294e16487086cf33fbb55289ce78666a1596151
Opcode Fuzzy Hash: 2362430c1cca439768a530c5a4284f2fbff27d597b6dd47f20408378d1c52be9
Instruction Fuzzy Hash: 1611B2B215021DBEEF119F68CC85EE77F9DEF08798F008111BA18A2050C6769C21DBA4

Function 0075D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0075D7A3: _free.LIBCMT ref: 0075D7CC

_free.LIBCMT ref: 0075D82D

Part of subcall function 007529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000), ref: 007529DE
Part of subcall function 007529C8: GetLastError.KERNEL32(00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000,00000000), ref: 007529F0

_free.LIBCMT ref: 0075D838
_free.LIBCMT ref: 0075D843
_free.LIBCMT ref: 0075D897
_free.LIBCMT ref: 0075D8A2
_free.LIBCMT ref: 0075D8AD
_free.LIBCMT ref: 0075D8B8

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 183e0d6d6c11e5c6a56bb4a11d40991b08678e97d8e7e3f172385b9369051ac2
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: C011E271541704EAD531BFB0CC4BFCB7BDCAF05702F404C15BA99B65A3DBA9B9094A50

Function 0078DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0078DA74
LoadStringW.USER32(00000000), ref: 0078DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0078DA91
LoadStringW.USER32(00000000), ref: 0078DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0078DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0078DAB9

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 7e8dd8be26bd5a33c1ba5fbc7e12da3646047985156042900f7abf9034a56dd0
Instruction ID: 888be6492a21c1eb0219b74eb910c487caeb95389d0f039eabdf39f3550f0d30
Opcode Fuzzy Hash: 7e8dd8be26bd5a33c1ba5fbc7e12da3646047985156042900f7abf9034a56dd0
Instruction Fuzzy Hash: 5E0162F29402087FE712ABA49D89FE7376CE708705F408591B706E2081EA789E844F79

Function 0079096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(01050598,01050598), ref: 0079097B
EnterCriticalSection.KERNEL32(01050578,00000000), ref: 0079098D
TerminateThread.KERNEL32(?,000001F6), ref: 0079099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007909A9
CloseHandle.KERNEL32(?), ref: 007909B8
InterlockedExchange.KERNEL32(01050598,000001F6), ref: 007909C8
LeaveCriticalSection.KERNEL32(01050578), ref: 007909CF

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 9df1c3246016dc72cee38fdc1ba1632a6121d34a6f47223a7008b68f55bad408
Instruction ID: d4896579bb45cce2ff879ff5df65bd01129de3b9557b4674531d960e443b818a
Opcode Fuzzy Hash: 9df1c3246016dc72cee38fdc1ba1632a6121d34a6f47223a7008b68f55bad408
Instruction Fuzzy Hash: A9F03131442512BFDB465F94EE8DFD67B35FF01712F409126F101908A0C778A865CF94

Function 00725D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00725D30
GetWindowRect.USER32(?,?), ref: 00725D71
ScreenToClient.USER32(?,?), ref: 00725D99
GetClientRect.USER32(?,?), ref: 00725ED7
GetWindowRect.USER32(?,?), ref: 00725EF8

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 91031e587ec9514480d3ffd52336ecebb4adc12bf8b95496b44d81b53e850617
Instruction ID: fe0414c999cdfb3a7a5f899c6ab5c5b55b97dd8960509526ba6fccb8309edff9
Opcode Fuzzy Hash: 91031e587ec9514480d3ffd52336ecebb4adc12bf8b95496b44d81b53e850617
Instruction Fuzzy Hash: F1B16834A00B5ADBDB14CFA9C4807EEB7F1FF58310F14851AE8AAD7250DB38AA51DB54

Function 007501B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007500BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007500D6
__allrem.LIBCMT ref: 007500ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0075010B
__allrem.LIBCMT ref: 00750122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00750140

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: a4b87c9d8fcd12ef7a3177351bda77a7b6836b3de99fdc443e1446303e4d0861
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 86810872A00B06DBE7209F28CC45BAF73E8AF45325F24453AF911D66C1E7F8D9088B91

Function 007A1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007A3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,007A101C,00000000,?,?,00000000), ref: 007A3195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 007A1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007A1DE1
WSAGetLastError.WSOCK32 ref: 007A1DF2
inet_ntoa.WSOCK32(?), ref: 007A1E8C
htons.WSOCK32(?,?,?,?,?), ref: 007A1EDB
_strlen.LIBCMT ref: 007A1F35

Part of subcall function 007839E8: _strlen.LIBCMT ref: 007839F2

Part of subcall function 00726D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0073CF58,?,?,?), ref: 00726DBA
Part of subcall function 00726D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0073CF58,?,?,?), ref: 00726DED

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: cd6761390c034d9cc64d699b4c32835d1fb58cfac510d856002d1793ef09a6b5
Instruction ID: 8e0167df5d07882bccde716239b5e7afd2d6ca76f376a3230e2bef234762cd5e
Opcode Fuzzy Hash: cd6761390c034d9cc64d699b4c32835d1fb58cfac510d856002d1793ef09a6b5
Instruction Fuzzy Hash: BEA1C031604350AFE314DF24C899F2A77E5AFC5318F948A4CF4565B2A2CB39ED46CB91

Function 007561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007482D9,007482D9,?,?,?,0075644F,00000001,00000001,8BE85006), ref: 00756258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0075644F,00000001,00000001,8BE85006,?,?,?), ref: 007562DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007563D8
__freea.LIBCMT ref: 007563E5

Part of subcall function 00753820: RtlAllocateHeap.NTDLL(00000000,?,007F1444,?,0073FDF5,?,?,0072A976,00000010,007F1440,007213FC,?,007213C6,?,00721129), ref: 00753852

__freea.LIBCMT ref: 007563EE
__freea.LIBCMT ref: 00756413

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9568bd59f708cc5476cc93b9c5b19a5d27763eed3ac33116d5f12e814746283e
Instruction ID: 9b090226b57922ecab1b486c67c8d7311d2dc51461755347aaa2e97588dd95bb
Opcode Fuzzy Hash: 9568bd59f708cc5476cc93b9c5b19a5d27763eed3ac33116d5f12e814746283e
Instruction Fuzzy Hash: 3451E072A00216ABEB258F64CC85EFF77AAEB44752F544629FC05D7150EBBCDC48C6A0

Function 007ABBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 007AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AB6AE,?,?), ref: 007AC9B5
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007AC9F1
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA68
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007ABCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007ABD25
RegCloseKey.ADVAPI32(00000000), ref: 007ABD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007ABD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007ABDF3
RegCloseKey.ADVAPI32(?), ref: 007ABDFF

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 01e2d14ebba648d50bff5b6ccdc9865ae27e8e4a75f5b513f5e0b51eb538efa7
Instruction ID: 2a3a003dbe0f27376ef71a25d76f79e87e57a442315d39358fbf65ea6ca278b6
Opcode Fuzzy Hash: 01e2d14ebba648d50bff5b6ccdc9865ae27e8e4a75f5b513f5e0b51eb538efa7
Instruction Fuzzy Hash: 4F81B230208241EFD714DF24C895E2ABBE5FF85308F148A5CF5994B2A2DB39ED45CB92

Function 0077F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0077F7B9
SysAllocString.OLEAUT32(00000001), ref: 0077F860
VariantCopy.OLEAUT32(0077FA64,00000000), ref: 0077F889
VariantClear.OLEAUT32(0077FA64), ref: 0077F8AD
VariantCopy.OLEAUT32(0077FA64,00000000), ref: 0077F8B1
VariantClear.OLEAUT32(?), ref: 0077F8BB

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e09dc7f8b8bf374a3add506ce9fcc0080b3c9f94724c181dd2e3516f38888b14
Instruction ID: 2881f656ba3099c8aa461d24695683d14b38252184f599485173581e13f9ce11
Opcode Fuzzy Hash: e09dc7f8b8bf374a3add506ce9fcc0080b3c9f94724c181dd2e3516f38888b14
Instruction Fuzzy Hash: F7511931600310FACF10AB65D999B69B3A4EF45350F24C467F909EF292DB7C9C40CB66

Function 0079910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00727620: _wcslen.LIBCMT ref: 00727625

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007994E5
_wcslen.LIBCMT ref: 00799506
_wcslen.LIBCMT ref: 0079952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00799585

Strings

X, xrefs: 00799412

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 27ea10642a18d9992c99b305d50a4b256e4a71c112a78124e130f68f9a98b0ab
Instruction ID: 2aaea082ca2d582e15f161dc5bf554b611279ab41bfff83bc39d78ed044f313d
Opcode Fuzzy Hash: 27ea10642a18d9992c99b305d50a4b256e4a71c112a78124e130f68f9a98b0ab
Instruction Fuzzy Hash: 00E1C331508350DFDB24DF29D885B6AB7E4BF84310F04896DF9899B2A2DB39DD05CB92

Function 0073920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

BeginPaint.USER32(?,?,?), ref: 00739241
GetWindowRect.USER32(?,?), ref: 007392A5
ScreenToClient.USER32(?,?), ref: 007392C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007392D3
EndPaint.USER32(?,?,?,?,?), ref: 00739321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007771EA

Part of subcall function 00739339: BeginPath.GDI32(00000000), ref: 00739357

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 44da590761ac95d03450f9d1397f93f6e3b763ca72dd77be30fe65f3ce253a01
Instruction ID: c6943f57b7d1019aa3466acea7e850fcba41cc7e85c5895fd1f62aaee689b715
Opcode Fuzzy Hash: 44da590761ac95d03450f9d1397f93f6e3b763ca72dd77be30fe65f3ce253a01
Instruction Fuzzy Hash: 9B41B070104300EFE711DF24CC84FBA7BA8EB85364F148269FA95972A2C7B9A845DB61

Function 007907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0079080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00790847
EnterCriticalSection.KERNEL32(?), ref: 00790863
LeaveCriticalSection.KERNEL32(?), ref: 007908DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007908F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00790921

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c2c62d791ef7049759bd1c61ca38441e2dd881dfe8597a5a4b5e7f4357de8e4e
Instruction ID: a4ca0d265851bb6deea0882997f7c560a857ce80d70e86546f180d20f2c1ba2b
Opcode Fuzzy Hash: c2c62d791ef7049759bd1c61ca38441e2dd881dfe8597a5a4b5e7f4357de8e4e
Instruction Fuzzy Hash: 88415C71A00205EFEF15AF54DC85AAA7778FF04310F1480A9ED04AE297D738EE65DBA4

Function 007B81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0077F3AB,00000000,?,?,00000000,?,0077682C,00000004,00000000,00000000), ref: 007B824C
EnableWindow.USER32(?,00000000), ref: 007B8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007B82D1
ShowWindow.USER32(?,00000004), ref: 007B82E5
EnableWindow.USER32(?,00000001), ref: 007B830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 007B832F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 007784d0136285919b846fcd0429ef58505a15ea33c151fb54c4bc9aff0fc0a9
Instruction ID: 7ac4e797b56725ef87ddd96524989e5f0aabec1fcc351346e24c26e331f5431f
Opcode Fuzzy Hash: 007784d0136285919b846fcd0429ef58505a15ea33c151fb54c4bc9aff0fc0a9
Instruction Fuzzy Hash: EA41B834601644EFDB52CF15C899FE87BE4FB0A714F1882A9E5088F272CB79AC41CB55

Function 00784C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00784C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00784CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00784CEA
_wcslen.LIBCMT ref: 00784D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00784D10
_wcsstr.LIBVCRUNTIME ref: 00784D1A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 9a3b89220309d246287d03f3ab629999588090b3f209177d0c900f6317375ed3
Instruction ID: 20fd3fe6d3550596751da48c1c0eb75016f0c89ecca7ab2925c19e0e697a09e2
Opcode Fuzzy Hash: 9a3b89220309d246287d03f3ab629999588090b3f209177d0c900f6317375ed3
Instruction Fuzzy Hash: A2212932644201BBEB166B39DC09E7B7B9CDF45754F108069F905CA192EAA9DC0193B0

Function 0079581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00723AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00723A97,?,?,00722E7F,?,?,?,00000000), ref: 00723AC2

_wcslen.LIBCMT ref: 0079587B
CoInitialize.OLE32(00000000), ref: 00795995
CoCreateInstance.OLE32(007BFCF8,00000000,00000001,007BFB68,?), ref: 007959AE
CoUninitialize.OLE32 ref: 007959CC

Strings

.lnk, xrefs: 00795876, 007958C1, 00795985

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 15171f2d431b727ed5bdc791022d9799b45508269fffa32fd2d201f01991d4ac
Instruction ID: 81471ffa5075d6d874251366716aab0e5b6a12cf3833c9078c79c72db2a67f0e
Opcode Fuzzy Hash: 15171f2d431b727ed5bdc791022d9799b45508269fffa32fd2d201f01991d4ac
Instruction Fuzzy Hash: DDD173B1604620DFCB15DF25D484A2ABBE1FF89720F14885DF8899B361DB39EC45CB92

Function 0078175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00780FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00780FCA
Part of subcall function 00780FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00780FD6
Part of subcall function 00780FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00780FE5
Part of subcall function 00780FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00780FEC
Part of subcall function 00780FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00781002

GetLengthSid.ADVAPI32(?,00000000,00781335), ref: 007817AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007817BA
HeapAlloc.KERNEL32(00000000), ref: 007817C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007817DA
GetProcessHeap.KERNEL32(00000000,00000000,00781335), ref: 007817EE
HeapFree.KERNEL32(00000000), ref: 007817F5

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9196e360a7695af65339a792e66b6d39b4852b437eb7160c4e821aa24e1c2c72
Instruction ID: 1a5be5933ff4b3c0742fe2ab2815bf70e47e6bdeca9dca196322bba651177801
Opcode Fuzzy Hash: 9196e360a7695af65339a792e66b6d39b4852b437eb7160c4e821aa24e1c2c72
Instruction Fuzzy Hash: 1711A9B2640209EFDB11AFA8DC49FAE7BADEB41355F50C11DF481A7210D73AA945CB60

Function 007814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007814FF
OpenProcessToken.ADVAPI32(00000000), ref: 00781506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00781515
CloseHandle.KERNEL32(00000004), ref: 00781520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0078154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00781563

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e55d5282b5c09af1aa007a5f52305276489d5b1c99a5f9ebd50976dbde54b37b
Instruction ID: f4cd126bd816a4907c9defea32d11b7f694c44f8bfa53dce9a908ff25e678575
Opcode Fuzzy Hash: e55d5282b5c09af1aa007a5f52305276489d5b1c99a5f9ebd50976dbde54b37b
Instruction Fuzzy Hash: D5115672504249ABDF129FA8ED49FDE7BADEF48704F048124FA05A2060C3798E61DB60

Function 00743382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00743379,00742FE5), ref: 00743390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0074339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007433B7
SetLastError.KERNEL32(00000000,?,00743379,00742FE5), ref: 00743409

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d16a2bd43bbd73c41b6954daca9e304e53777d87f48360d1bf6e001852aeac3e
Instruction ID: d81751c2584d564d701fba8f48fefcb59910d1fbd79ea62212922639a49a7961
Opcode Fuzzy Hash: d16a2bd43bbd73c41b6954daca9e304e53777d87f48360d1bf6e001852aeac3e
Instruction Fuzzy Hash: 2C01FC33609312FFA61A2B747CC9A772A94EB097797208329F428891F1EF1D4E025548

Function 00752D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00755686,00763CD6,?,00000000,?,00755B6A,?,?,?,?,?,0074E6D1,?,007E8A48), ref: 00752D78
_free.LIBCMT ref: 00752DAB
_free.LIBCMT ref: 00752DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0074E6D1,?,007E8A48,00000010,00724F4A,?,?,00000000,00763CD6), ref: 00752DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0074E6D1,?,007E8A48,00000010,00724F4A,?,?,00000000,00763CD6), ref: 00752DEC
_abort.LIBCMT ref: 00752DF2

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: ea7236557e8775262b25e6f629dfd078299e7be50d189b6c8efa3f8b9213008e
Instruction ID: 5ef367ab7b7532920c7a8582a4dc0ba4a81523e97574272f44f1c46cc51710a8
Opcode Fuzzy Hash: ea7236557e8775262b25e6f629dfd078299e7be50d189b6c8efa3f8b9213008e
Instruction Fuzzy Hash: 69F0A936605B00B7C25327346C0EEDA26656BC37A3F24851DFC24A72A3EFEC980F4161

Function 007B8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00739639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00739693
Part of subcall function 00739639: SelectObject.GDI32(?,00000000), ref: 007396A2
Part of subcall function 00739639: BeginPath.GDI32(?), ref: 007396B9
Part of subcall function 00739639: SelectObject.GDI32(?,00000000), ref: 007396E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 007B8A4E
LineTo.GDI32(?,00000003,00000000), ref: 007B8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 007B8A70
LineTo.GDI32(?,00000000,00000003), ref: 007B8A80
EndPath.GDI32(?), ref: 007B8A90
StrokePath.GDI32(?), ref: 007B8AA0

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5568e602bc7fa9c1b12aae38d3e34f2029636b97aa321552339b30b9593ed261
Instruction ID: 209225c18783b75852587a51690f04bae72d54e6c35a90a5bc1a66a5dcbf3e24
Opcode Fuzzy Hash: 5568e602bc7fa9c1b12aae38d3e34f2029636b97aa321552339b30b9593ed261
Instruction Fuzzy Hash: 6811F37640014DFFEB129F94DC88FAA7F6CEB08350F00C122FA199A1A1C776AD55DBA4

Function 007851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00785218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00785229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00785230
ReleaseDC.USER32(00000000,00000000), ref: 00785238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0078524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00785261

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 202bc9d54030c9c658359f10a268b2dc3570f2608e10a20d37d84b781c615e9f
Instruction ID: 9e842426126638b8b425a961582dd0ae88a8e4dd229c24e6d4c3bef1d67effff
Opcode Fuzzy Hash: 202bc9d54030c9c658359f10a268b2dc3570f2608e10a20d37d84b781c615e9f
Instruction Fuzzy Hash: BA0184B5E40708BBEB116BA99C49F4EBFB8FB44351F048165FA04A7280DA749800CB64

Function 00721BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00721BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00721BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00721C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00721C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00721C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00721C22

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c036453b504d3d7accffbfa8535c03efda531f506c854cecf3e6d91d679031da
Instruction ID: ac511b47bb4cf4415f651f7ed637b65bac3b9a0595adc988a823d483d82ca389
Opcode Fuzzy Hash: c036453b504d3d7accffbfa8535c03efda531f506c854cecf3e6d91d679031da
Instruction Fuzzy Hash: F80167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00415BA15C4BA42C7F5A864CBE5

Function 0078EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0078EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0078EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0078EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0078EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0078EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0078EB75

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: c74ee00f1e58482bcc20129ce25c6d74009131c727ddd7dee129c34dc703ed68
Instruction ID: 0fe5b4c6b82d570f322f16ce9a719a7594519f4a03cc103d32dcd48c18bbc457
Opcode Fuzzy Hash: c74ee00f1e58482bcc20129ce25c6d74009131c727ddd7dee129c34dc703ed68
Instruction Fuzzy Hash: 79F01272140158BBD62257569C0DFEB3A7CEBCAB15F008259F501E1091A7A45A0186B9

Function 00777439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00777452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00777469
GetWindowDC.USER32(?), ref: 00777475
GetPixel.GDI32(00000000,?,?), ref: 00777484
ReleaseDC.USER32(?,00000000), ref: 00777496
GetSysColor.USER32(00000005), ref: 007774B0

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 733c58fd871cedc7a941eb32d9fb5342ade40b354e590434f993b8b0c776f119
Instruction ID: 94bfb534175642a172356b3fba62e305fc85685a87870762dea1bd953628b960
Opcode Fuzzy Hash: 733c58fd871cedc7a941eb32d9fb5342ade40b354e590434f993b8b0c776f119
Instruction Fuzzy Hash: E1014B31400215EFEB525FA4DC08FEA7BB5FF04351F61C264F919A61A1CB391E51EB54

Function 00781874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0078187F
UnloadUserProfile.USERENV(?,?), ref: 0078188B
CloseHandle.KERNEL32(?), ref: 00781894
CloseHandle.KERNEL32(?), ref: 0078189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007818A5
HeapFree.KERNEL32(00000000), ref: 007818AC

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3efc394a6337e466c2e43327af04d316e1a10c10094824b25e092df6c8e099e5
Instruction ID: ff1b32a93369d2d5a7effba65bbc861e4568cdbcfcf8d2da68b2226337cf0a01
Opcode Fuzzy Hash: 3efc394a6337e466c2e43327af04d316e1a10c10094824b25e092df6c8e099e5
Instruction Fuzzy Hash: F6E0C2B6004109BBDA025FA5ED0CE0ABB69FB49B22B50C321F225D1070CB369820DB68

Function 007A7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00740242: EnterCriticalSection.KERNEL32(007F070C,007F1884,?,?,0073198B,007F2518,?,?,?,007212F9,00000000), ref: 0074024D
Part of subcall function 00740242: LeaveCriticalSection.KERNEL32(007F070C,?,0073198B,007F2518,?,?,?,007212F9,00000000), ref: 0074028A

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 007400A3: __onexit.LIBCMT ref: 007400A9

__Init_thread_footer.LIBCMT ref: 007A7BFB

Part of subcall function 007401F8: EnterCriticalSection.KERNEL32(007F070C,?,?,00738747,007F2514), ref: 00740202
Part of subcall function 007401F8: LeaveCriticalSection.KERNEL32(007F070C,?,00738747,007F2514), ref: 00740235

Strings

+Tw, xrefs: 007A7E2E
5, xrefs: 007A7C78
Variable must be of type 'Object'., xrefs: 007A7C3A
G, xrefs: 007A7C7F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tw$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2516738615
Opcode ID: 0fcdeb298bac78a905b956ebea51d951db8823868a28f1b688ac80fe08469e24
Instruction ID: 885df511b3719666fd8ca1bfba977ca229c09eba259296382d395133e82e6a65
Opcode Fuzzy Hash: 0fcdeb298bac78a905b956ebea51d951db8823868a28f1b688ac80fe08469e24
Instruction Fuzzy Hash: EA91BF71A04209EFCB08EF54D895DBDB7B5FF8A300F148159F8069B292DB79AE41CB61

Function 0078C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00727620: _wcslen.LIBCMT ref: 00727625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0078C6EE
_wcslen.LIBCMT ref: 0078C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0078C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0078C7CA

Strings

0, xrefs: 0078C6AF

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 4f9cfbc5068032259dd599d686a813792e4b42fa29a0e360f337c85d92631234
Instruction ID: e6ed3808087997d3f3096fbd36bdd03d3512f9afefdb02783d8fe01be2eeef2f
Opcode Fuzzy Hash: 4f9cfbc5068032259dd599d686a813792e4b42fa29a0e360f337c85d92631234
Instruction Fuzzy Hash: 9C51CF716943019BD716EF28C889B6B77E8AF49310F040A39FA95D32A1DB7CD904CB66

Function 007AAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 007AAEA3

Part of subcall function 00727620: _wcslen.LIBCMT ref: 00727625

GetProcessId.KERNEL32(00000000), ref: 007AAF38
CloseHandle.KERNEL32(00000000), ref: 007AAF67

Strings

@, xrefs: 007AAE72
<, xrefs: 007AAE6B

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 048a7bf7bdc98f760e5edb147c523f5e0f78c38fd3bf55fb45bb38d721585a02
Instruction ID: 797af0b9fab433c31fca15e93bcf66f3ad02570c87a6eb159303e2c6285d7288
Opcode Fuzzy Hash: 048a7bf7bdc98f760e5edb147c523f5e0f78c38fd3bf55fb45bb38d721585a02
Instruction Fuzzy Hash: A071AD71A00629EFCB18DF54D489A9EBBF0FF49310F048599E856AB352C778ED41CB91

Function 0078719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00787206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0078723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0078724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007872CF

Strings

DllGetClassObject, xrefs: 00787242

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 55b0f3153644ac5bb04eca8b4408e733bc71917cc80ea320bdcf2e32a5eac4c7
Instruction ID: b46efc129e0bbe8a2131000ac7f174617ebb63b26a7691f636622514d32a88ee
Opcode Fuzzy Hash: 55b0f3153644ac5bb04eca8b4408e733bc71917cc80ea320bdcf2e32a5eac4c7
Instruction Fuzzy Hash: 224153B1644204DFDB19DF54C884B9A7BB9FF48310F2480A9FD0A9F21AD7B9D944DBA0

Function 007B3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007B3E35
IsMenu.USER32(?), ref: 007B3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007B3E92
DrawMenuBar.USER32 ref: 007B3EA5

Strings

0, xrefs: 007B3D89

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 78e1dc78d69d643a7d2c84e874c42b73690d80bde33d111e79f497664d16a986
Instruction ID: 9c8572bc47cfed2b178f39d660b0aa00e954deb736a510533a69963a893955c6
Opcode Fuzzy Hash: 78e1dc78d69d643a7d2c84e874c42b73690d80bde33d111e79f497664d16a986
Instruction Fuzzy Hash: 52413875A00209EFDB10DF50D884EEABBB5FF48350F04812AF915AB250D738EE94CBA0

Function 00781DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00781E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00781E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00781EA9

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

Strings

ListBox, xrefs: 00781E25
ComboBox, xrefs: 00781DF0

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: ed6c9eab48f684c1c25253a019b0cb0fa46c996274b6a0d28f5b5b4866124429
Instruction ID: 653601d0e57bbc39563da61dbeac42278d455d8d55b00811b860eb3da92b20d9
Opcode Fuzzy Hash: ed6c9eab48f684c1c25253a019b0cb0fa46c996274b6a0d28f5b5b4866124429
Instruction Fuzzy Hash: 4521F3B1A40108EADB14AB65EC49CFFB7BCEF45364F588129F825A71E1DB7C490A8720

Function 007AC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007AC9F1
_wcslen.LIBCMT ref: 007ACA68
_wcslen.LIBCMT ref: 007ACA9E
_wcslen.LIBCMT ref: 007ACAF9
_wcslen.LIBCMT ref: 007ACB2F
_wcslen.LIBCMT ref: 007ACB7F

Strings

HKLM, xrefs: 007ACA98, 007ACA9D
HKEY_LOCAL_MACHINE, xrefs: 007ACA62, 007ACA67

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 942aa0132bbfeb827533d1a5dff6a6d94f71886c3b2786707184bb59e2ffbef7
Instruction ID: a97ab412709cabf2c8c959e6f7997113d8c88a1348dc71883d3a88d0e95f75ff
Opcode Fuzzy Hash: 942aa0132bbfeb827533d1a5dff6a6d94f71886c3b2786707184bb59e2ffbef7
Instruction Fuzzy Hash: 47312873A0056DABCB22DF6D98401BE33915BE3754F05C229E845AB344EA7CCD40D3A0

Function 007B2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007B2F8D
LoadLibraryW.KERNEL32(?), ref: 007B2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007B2FA9
DestroyWindow.USER32(?), ref: 007B2FB1

Strings

SysAnimate32, xrefs: 007B2F68

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 08b38e1e0af812c43a676439048323d2e9d54dcdb43a94763ee95871d9c9105b
Instruction ID: b1f781c3db6c9e6d95c4981ed1c740a86c17045f45033f9e185d9e221d9be7c8
Opcode Fuzzy Hash: 08b38e1e0af812c43a676439048323d2e9d54dcdb43a94763ee95871d9c9105b
Instruction Fuzzy Hash: D321DC71201205AFEF118F64DC84FFB37B9EB58368F108618FA10D20A1C779DC429760

Function 00744D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00744D1E,007528E9,?,00744CBE,007528E9,007E88B8,0000000C,00744E15,007528E9,00000002), ref: 00744D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00744DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00744D1E,007528E9,?,00744CBE,007528E9,007E88B8,0000000C,00744E15,007528E9,00000002,00000000), ref: 00744DC3

Strings

mscoree.dll, xrefs: 00744D86
CorExitProcess, xrefs: 00744D98

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5701a7d95c4e4dd2075b832fc7519b56d14210939dfc57767a32926c9e5e53e4
Instruction ID: 031827f62289b3a56910950fdd0cd8bfe786010b45b5554a58ca8755447254a0
Opcode Fuzzy Hash: 5701a7d95c4e4dd2075b832fc7519b56d14210939dfc57767a32926c9e5e53e4
Instruction Fuzzy Hash: DFF0AF34A0020CFBDB129F94DC49FADBBB9EF04711F0081A8F909A2260CB789940DED4

Function 0077D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0077D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0077D3BF
FreeLibrary.KERNEL32(00000000), ref: 0077D3E5

Strings

X64, xrefs: 0077D2A8
GetSystemWow64DirectoryW, xrefs: 0077D3B9

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: b517334126dd9c6242f3a7ec46b108469715e00797ff8e7a27d8f803ac69b590
Instruction ID: 8c95c33b7cd66a500bd43bfa4e722298c021493f86943aab534d529c0072ac79
Opcode Fuzzy Hash: b517334126dd9c6242f3a7ec46b108469715e00797ff8e7a27d8f803ac69b590
Instruction Fuzzy Hash: ADF055B0802628CBEF3223148C48E7D7234BF10B81FA5C268F80EF2042EB6CCD418693

Function 00724E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00724EDD,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00724EAE
FreeLibrary.KERNEL32(00000000,?,?,00724EDD,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00724EA8
kernel32.dll, xrefs: 00724E94

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: be0de4a8cd8200089072660da218173315f7eeb7530205a834972ace23ffee48
Instruction ID: b5b960e0f60750f2f47836ddec805665a6a4702ecb100ea3214bf232018e0367
Opcode Fuzzy Hash: be0de4a8cd8200089072660da218173315f7eeb7530205a834972ace23ffee48
Instruction Fuzzy Hash: B2E0CDB5E026365BE2331729BC1CF5F6558AF81F627068255FC00F3200DBACCD0240B4

Function 00724E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00763CDE,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00724E74
FreeLibrary.KERNEL32(00000000,?,?,00763CDE,?,007F1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00724E87

Strings

kernel32.dll, xrefs: 00724E5B
Wow64RevertWow64FsRedirection, xrefs: 00724E6E

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: de8c265dd4a047a7844ea3d4975d5935163e0e4d61bfba6284365fb08ca9a1fb
Instruction ID: 429081468398f225ce5247db8aaf82186386ceb398bebef78ad6331c6b8a0a0a
Opcode Fuzzy Hash: de8c265dd4a047a7844ea3d4975d5935163e0e4d61bfba6284365fb08ca9a1fb
Instruction Fuzzy Hash: D8D0C271902676576A231B297C0CF8F2A18AF85B11306C650F800B2120CF6CCD0281E4

Function 00792947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00792C05
DeleteFileW.KERNEL32(?), ref: 00792C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00792C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00792CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00792CC0

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 6ac4227c9559fb2869a656d631f51f014541f84c646b23430e9f6f6421cd2881
Instruction ID: 9bc39b1b9592b27e2df98c11fbb260f3bf17e9bc51247bd8b631f9fcd71edbcd
Opcode Fuzzy Hash: 6ac4227c9559fb2869a656d631f51f014541f84c646b23430e9f6f6421cd2881
Instruction Fuzzy Hash: 7FB15F71D00119EBDF21EBA4DC89EDEB7BDEF09350F1040A6F509E6152EB389E458B61

Function 007AA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 007AA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007AA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 007AA468
CloseHandle.KERNEL32(?), ref: 007AA63D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 2190516ab0da1ecfaba49020886ebe5e5e50fd4287f4311796d2150f119d4fed
Instruction ID: ef56ee554b0e0fba8ec85dc5591e6135c1fe4852adc4a0f02acee5427ac4d945
Opcode Fuzzy Hash: 2190516ab0da1ecfaba49020886ebe5e5e50fd4287f4311796d2150f119d4fed
Instruction Fuzzy Hash: BDA1B171604300AFE720DF24D886F2AB7E5AF88714F14891DF55A9B2D2D7B8EC41CB92

Function 0078E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0078CF22,?), ref: 0078DDFD

Part of subcall function 0078DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0078CF22,?), ref: 0078DE16

Part of subcall function 0078E199: GetFileAttributesW.KERNEL32(?,0078CF95), ref: 0078E19A

lstrcmpiW.KERNEL32(?,?), ref: 0078E473
MoveFileW.KERNEL32(?,?), ref: 0078E4AC
_wcslen.LIBCMT ref: 0078E5EB
_wcslen.LIBCMT ref: 0078E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0078E650

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: a2a95a336fb2412cf1c97b166a7355aa6619e4bcc70365841f489a017150000f
Instruction ID: 90870cc5a121b7a377f3cd3183f94a16dda1eb7a0b816d76c730288d6df16933
Opcode Fuzzy Hash: a2a95a336fb2412cf1c97b166a7355aa6619e4bcc70365841f489a017150000f
Instruction Fuzzy Hash: 0A5155B25483859BC734EBA0DC959DFB3DCAF84340F04492EF689D3151EF78A6888766

Function 007AB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 007AC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007AB6AE,?,?), ref: 007AC9B5
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007AC9F1
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA68
Part of subcall function 007AC998: _wcslen.LIBCMT ref: 007ACA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007ABAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007ABB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007ABB63
RegCloseKey.ADVAPI32(?,?), ref: 007ABBA6
RegCloseKey.ADVAPI32(00000000), ref: 007ABBB3

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f0aa048fa2b29a23cf75884ee59887143b921a952a080bbdd978c3ae03ac50b1
Instruction ID: 3bc9f7a291219497d1d99f78f23f11a6b7de8625c68461eff2c186468ca763f5
Opcode Fuzzy Hash: f0aa048fa2b29a23cf75884ee59887143b921a952a080bbdd978c3ae03ac50b1
Instruction Fuzzy Hash: 1B619171208241EFD314DF64C894E2ABBE5FF85308F54865CF4994B2A2DB39ED45CBA2

Function 00788BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00788BCD
VariantClear.OLEAUT32 ref: 00788C3E
VariantClear.OLEAUT32 ref: 00788C9D
VariantClear.OLEAUT32(?), ref: 00788D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00788D3B

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a0810203a0209a67dec63c14a53c84df2ec22bbbeb07277c238cdc27862ccbb5
Instruction ID: c52f08977227172f06e19f373d7e5547c878188552fa5827db47889cd34411e6
Opcode Fuzzy Hash: a0810203a0209a67dec63c14a53c84df2ec22bbbeb07277c238cdc27862ccbb5
Instruction Fuzzy Hash: CA5169B5A00219EFCB10DF68C894AAABBF8FF8D310B158559E915DB354E734E911CBA0

Function 00798AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00798BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00798BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00798C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00798C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00798C5F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 8646b424310c5b531d94fc4ecac4b15b8c6eb214455d690511e57af85a84837d
Instruction ID: b0ae21c332abf4485d91572ae6c08e388a8c0174af9bd144525513d4e94ff636
Opcode Fuzzy Hash: 8646b424310c5b531d94fc4ecac4b15b8c6eb214455d690511e57af85a84837d
Instruction Fuzzy Hash: 8A514835A00215DFCB05DF65D885EA9BBF5FF49314F088098E849AB362CB39ED51CBA1

Function 007A8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 007A8F40
GetProcAddress.KERNEL32(00000000,?), ref: 007A8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 007A8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 007A9032
FreeLibrary.KERNEL32(00000000), ref: 007A9052

Part of subcall function 0073F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00791043,?,753CE610), ref: 0073F6E6
Part of subcall function 0073F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0077FA64,00000000,00000000,?,?,00791043,?,753CE610,?,0077FA64), ref: 0073F70D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: a56ac84f880e0997dd49050f93fa04abb1cd2e6ee42bc415771a7f0bead98ea1
Instruction ID: d5111dd762f46972b1fdd73bc5b650eb5e8dc0d1eb0c7fb88cb2e2248bb3c911
Opcode Fuzzy Hash: a56ac84f880e0997dd49050f93fa04abb1cd2e6ee42bc415771a7f0bead98ea1
Instruction Fuzzy Hash: 65512935600216DFC715DF58C4848ADBBB1FF8A314F0881A9E906AB362DB39ED85CB91

Function 007B6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 007B6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 007B6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 007B6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0079AB79,00000000,00000000), ref: 007B6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 007B6CC7

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 1cdc1ea2ab8dfac5c3649f3cca93b4c425dbc5ac6aa9265e81d15ad1ff556a86
Instruction ID: 9afc4c55a34692bb891f178e77d61d6bd670ba1d5753f42be34968cd663ed353
Opcode Fuzzy Hash: 1cdc1ea2ab8dfac5c3649f3cca93b4c425dbc5ac6aa9265e81d15ad1ff556a86
Instruction Fuzzy Hash: 4A41A175604104AFD725DF28CC58FEA7FA5EB09350F154268FA95A72A0C37DFD41CAA0

Function 00752051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007520C3
_free.LIBCMT ref: 007520E3

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f19496d70bf9421c794406415dcc8802661431dc558e8d49edac373e0127d245
Instruction ID: 50429f23c3c09b3f07c5a99ec7357538106af295c2b6fcf58125cabdda5960c8
Opcode Fuzzy Hash: f19496d70bf9421c794406415dcc8802661431dc558e8d49edac373e0127d245
Instruction Fuzzy Hash: 8941E732E00604DFDB20DF78C884A9EB3A5EF8A310F154568E915EB392D775AD06CB80

Function 0073912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00739141
ScreenToClient.USER32(00000000,?), ref: 0073915E
GetAsyncKeyState.USER32(00000001), ref: 00739183
GetAsyncKeyState.USER32(00000002), ref: 0073919D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 64b076af6ad029d22899d2699da1cf7d02415b82dba00dbd0432b54ef698c70a
Instruction ID: cffef765d72a10866f7a2ef4f2a1c17373aee9f3bc59249a496000f5b1e2ad62
Opcode Fuzzy Hash: 64b076af6ad029d22899d2699da1cf7d02415b82dba00dbd0432b54ef698c70a
Instruction Fuzzy Hash: 4D417031A0850AFBDF199F64C848BEEB774FF45360F208215E529A3291D7785D50CFA1

Function 00793874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007938CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00793922
TranslateMessage.USER32(?), ref: 0079394B
DispatchMessageW.USER32(?), ref: 00793955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00793966

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 0b6e6e3918f5c072504b3a50e4875ff01af4499974d6e195f2a3660a3765d471
Instruction ID: d0f28cad6a2ed45b39c04083c1944e1dd4c5038f03de4caab33a353e635b8751
Opcode Fuzzy Hash: 0b6e6e3918f5c072504b3a50e4875ff01af4499974d6e195f2a3660a3765d471
Instruction Fuzzy Hash: CB31D370904341DEEF35CB34A848FB637E8AB15328F54856DE466C61A0E7FCBA85CB25

Function 0079CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0079C21E,00000000), ref: 0079CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0079CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0079C21E,00000000), ref: 0079CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0079C21E,00000000), ref: 0079CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0079C21E,00000000), ref: 0079CFF2

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: bb60d411b64f0ff0582cc3f804cc1c74e912ea99061bda69aa3a9e16794f1a6b
Instruction ID: 7a0f57ba10aa781232d290cf3493358287948895d909c79cfefc281f310821b9
Opcode Fuzzy Hash: bb60d411b64f0ff0582cc3f804cc1c74e912ea99061bda69aa3a9e16794f1a6b
Instruction Fuzzy Hash: F2315272500605EFDF21DFA5D888EABBBFAEB14350B10842EF506D2141DB38AE41DB60

Function 00781901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00781915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007819C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007819C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007819DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007819E2

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 778750a0b28f438cb3deea7ff0d50102e45ccaedc31b4883c7f0670183ee6f8b
Instruction ID: 9c733c10f6a04c1e18200353bfa3039af6ca0dea9a80162bb050ff006a4307e0
Opcode Fuzzy Hash: 778750a0b28f438cb3deea7ff0d50102e45ccaedc31b4883c7f0670183ee6f8b
Instruction Fuzzy Hash: 9231AF71900259EFCB00DFA8C999FEE3BB9EB04315F108265F961A72D1C774A945CB90

Function 007B5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 007B5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 007B579D
_wcslen.LIBCMT ref: 007B57AF
_wcslen.LIBCMT ref: 007B57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 007B5816

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: f872720a58d7e2fe1f27497fa7be34e33b30cc17c4804e0db6040c6b0a1ca4b4
Instruction ID: bebd7708ea7ef648e7e409f75d49848502ec40beb1ed3413ae19222a0630dd91
Opcode Fuzzy Hash: f872720a58d7e2fe1f27497fa7be34e33b30cc17c4804e0db6040c6b0a1ca4b4
Instruction Fuzzy Hash: 72217171904618EADB209FA0CC85FEE77B8FF04724F108256E929EB180D7789985CF50

Function 007A0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007A0951
GetForegroundWindow.USER32 ref: 007A0968
GetDC.USER32(00000000), ref: 007A09A4
GetPixel.GDI32(00000000,?,00000003), ref: 007A09B0
ReleaseDC.USER32(00000000,00000003), ref: 007A09E8

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4ee21d99db91e0adc0782435ab4d9b506744863c0d0d58810ab5b11b39148100
Instruction ID: e267dcb19fe6f1802830d442b00411d86023c2a66fbb6d9bcc68435a4ff560e0
Opcode Fuzzy Hash: 4ee21d99db91e0adc0782435ab4d9b506744863c0d0d58810ab5b11b39148100
Instruction Fuzzy Hash: 33215035600214AFD704EF69D849E5EB7E5EF49700F04C568E84697752DB38AC04CB90

Function 0075CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0075CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0075CDE9

Part of subcall function 00753820: RtlAllocateHeap.NTDLL(00000000,?,007F1444,?,0073FDF5,?,?,0072A976,00000010,007F1440,007213FC,?,007213C6,?,00721129), ref: 00753852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0075CE0F
_free.LIBCMT ref: 0075CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0075CE31

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 7046873e4ed4c6b04393a22e6fbde66e150d05c3a6c1ed6dad60c9b1424a9287
Instruction ID: 1bac424b209bd1bb2857e2af7e0765165afdf9344067c19d7be2c939c0d066c5
Opcode Fuzzy Hash: 7046873e4ed4c6b04393a22e6fbde66e150d05c3a6c1ed6dad60c9b1424a9287
Instruction Fuzzy Hash: F501D8726013157F2323167A6C4EEBB696DDEC6BA2315422DFD05D7201DAA98D0581F4

Function 00739639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00739693
SelectObject.GDI32(?,00000000), ref: 007396A2
BeginPath.GDI32(?), ref: 007396B9
SelectObject.GDI32(?,00000000), ref: 007396E2

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8c9ab1c3ea3fb35337b0fb9b9274ca7986687dc6eb38bd72aa7a1d4d4428a3b1
Instruction ID: 4b8c061836a6d7f397d51b95b9293608b87ff1e5231cecd9e7e80dff5a2e17cd
Opcode Fuzzy Hash: 8c9ab1c3ea3fb35337b0fb9b9274ca7986687dc6eb38bd72aa7a1d4d4428a3b1
Instruction Fuzzy Hash: EA217F70812349EBEB11DF29DC19BB93BA8BB10355F50C216F510A61A1D3FDA891CFD8

Function 00785711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00785726
_memcmp.LIBVCRUNTIME ref: 00785744
_memcmp.LIBVCRUNTIME ref: 00785757
_memcmp.LIBVCRUNTIME ref: 0078576F
_memcmp.LIBVCRUNTIME ref: 00785787

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: eeab76b49a454d986e66c545d25b536c13031d50805624880bdf397992c594cb
Instruction ID: 0d03a29348e136600162944b7bcfb63e78b9a296ed619dee8e973d97198efb47
Opcode Fuzzy Hash: eeab76b49a454d986e66c545d25b536c13031d50805624880bdf397992c594cb
Instruction Fuzzy Hash: FD01B5A5681A09FBE2087520DD82FFB735D9B21794F808030FD049A241F76CED5083B4

Function 00752DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0074F2DE,00753863,007F1444,?,0073FDF5,?,?,0072A976,00000010,007F1440,007213FC,?,007213C6), ref: 00752DFD
_free.LIBCMT ref: 00752E32
_free.LIBCMT ref: 00752E59
SetLastError.KERNEL32(00000000,00721129), ref: 00752E66
SetLastError.KERNEL32(00000000,00721129), ref: 00752E6F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2f7ed96dda1f34a1493e33403ac6f941240fe5cd062e0b1d52ac7af488cb5f3f
Instruction ID: ac3a3e29572318b8a1947201ed4458e58d50231b596723f5169d2e30e778012b
Opcode Fuzzy Hash: 2f7ed96dda1f34a1493e33403ac6f941240fe5cd062e0b1d52ac7af488cb5f3f
Instruction Fuzzy Hash: C8014E71205540A7C61323742C4FDEB1659ABD33A7B248118FC21A3293EFFC9C0F0064

Function 0078000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?,?,0078035E), ref: 0078002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?), ref: 00780046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?), ref: 00780054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?), ref: 00780064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0077FF41,80070057,?,?), ref: 00780070

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 79d98ab33adffdb3d0987e1d818ebc433b04995c148b338e6f71876145d82386
Instruction ID: f598adfdb1dc87b93d065fa2ace0545e758a3fb57eb6f8e3e0fd9dd02fd39f3b
Opcode Fuzzy Hash: 79d98ab33adffdb3d0987e1d818ebc433b04995c148b338e6f71876145d82386
Instruction Fuzzy Hash: 9401AD76640204BFDB526F68DC08FAA7AEDEF447A2F148224F905D6210E779DD44ABA0

Function 0078E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0078E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0078E9A5
Sleep.KERNEL32(00000000), ref: 0078E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0078E9B7
Sleep.KERNEL32 ref: 0078E9F3

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: dc681bec15db1c71f620f226cff581ada5678b6ff43b9f5cf2453b8127de77cf
Instruction ID: dce7435ffc16c791129e1211ac86fb7d7d24f1faebec45abce25430d3892a83b
Opcode Fuzzy Hash: dc681bec15db1c71f620f226cff581ada5678b6ff43b9f5cf2453b8127de77cf
Instruction Fuzzy Hash: B2018C71C4162DDBCF00AFE9DC49AEDBB78FF08301F008646E942B2241DB78A550CBA6

Function 007810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00781114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 00781120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 0078112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00780B9B,?,?,?), ref: 00781136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0078114D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d6083e36e7d803d1af07ab6ebaa7fa4ed8c045cb926c1ce8289377550139841c
Instruction ID: eb1d99279d5ad8b21f2e2907185f83f3d74b9f33c1142855b3155b13e8e5b49c
Opcode Fuzzy Hash: d6083e36e7d803d1af07ab6ebaa7fa4ed8c045cb926c1ce8289377550139841c
Instruction Fuzzy Hash: 720181B5500209BFDB125F68DC5DEAA3F6EEF85360B508415FA41D3350DB35DC008B60

Function 00780FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00780FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00780FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00780FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00780FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00781002

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 26ba83a6bde2a143b3473f99b4f411bae63e2ee00c05f3863dadcc5e983941f3
Instruction ID: d09b77d96878492983c82642a3a1cbab3fb79b25404a195776e676b63674eee5
Opcode Fuzzy Hash: 26ba83a6bde2a143b3473f99b4f411bae63e2ee00c05f3863dadcc5e983941f3
Instruction Fuzzy Hash: 37F0CD75240305EBDB222FA8DC4EF563BADEF89762F508425FA05D7250CA38DC408B60

Function 00781014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0078102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00781036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00781045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0078104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00781062

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2ca08fdfb0a959d6be35738519d15547dfbf8f21e44be99b8cf8993b293a579b
Instruction ID: 7c66f5d7b5b03702b8929683c9805caf2af82c40779845653cb16edb86c167ea
Opcode Fuzzy Hash: 2ca08fdfb0a959d6be35738519d15547dfbf8f21e44be99b8cf8993b293a579b
Instruction Fuzzy Hash: F9F0CD75240305EBDB222FA8EC49F573BADEF89761F508425FA05D7250CA38DC408B60

Function 0079030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0079017D,?,007932FC,?,00000001,00762592,?), ref: 00790324
CloseHandle.KERNEL32(?,?,?,?,0079017D,?,007932FC,?,00000001,00762592,?), ref: 00790331
CloseHandle.KERNEL32(?,?,?,?,0079017D,?,007932FC,?,00000001,00762592,?), ref: 0079033E
CloseHandle.KERNEL32(?,?,?,?,0079017D,?,007932FC,?,00000001,00762592,?), ref: 0079034B
CloseHandle.KERNEL32(?,?,?,?,0079017D,?,007932FC,?,00000001,00762592,?), ref: 00790358
CloseHandle.KERNEL32(?,?,?,?,0079017D,?,007932FC,?,00000001,00762592,?), ref: 00790365

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: bcb0998b2e88feb9d077635b63748a2d72bf47fa7a12773e6cff99e416e8f149
Instruction ID: c287ba9b296ff9df263adf976c8d7f779b7cdf612228e983ea43010f63b6eb35
Opcode Fuzzy Hash: bcb0998b2e88feb9d077635b63748a2d72bf47fa7a12773e6cff99e416e8f149
Instruction Fuzzy Hash: B701AE72810B159FCB30AF66E880812FBF9BF603153158A3FD19652931C3B5A958DF80

Function 0075D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0075D752

Part of subcall function 007529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000), ref: 007529DE
Part of subcall function 007529C8: GetLastError.KERNEL32(00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000,00000000), ref: 007529F0

_free.LIBCMT ref: 0075D764
_free.LIBCMT ref: 0075D776
_free.LIBCMT ref: 0075D788
_free.LIBCMT ref: 0075D79A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 22c48e723459bf40ebf952e5fa7ec50046c0349a99d6378c2a2343eced8f928e
Instruction ID: 15de1e76c1e408ee1adf3d0377898d6f27dd5d0575b500f5e0fc947ef5bdb233
Opcode Fuzzy Hash: 22c48e723459bf40ebf952e5fa7ec50046c0349a99d6378c2a2343eced8f928e
Instruction Fuzzy Hash: 07F04F32501248AB8636EB64F9C5CD67BDDBB0D3127A54C05F848FB612CBACFC858A64

Function 00785C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00785C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00785C6F
MessageBeep.USER32(00000000), ref: 00785C87
KillTimer.USER32(?,0000040A), ref: 00785CA3
EndDialog.USER32(?,00000001), ref: 00785CBD

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b9db91b1a468ec9d66b1cdb90fcd1ea54b57f23a09ee486e72d0b407f4481514
Instruction ID: 1af06f1740ce138ac49f6eb6b0d9feeb73aed48c2803056396eddec84d817a6b
Opcode Fuzzy Hash: b9db91b1a468ec9d66b1cdb90fcd1ea54b57f23a09ee486e72d0b407f4481514
Instruction Fuzzy Hash: 7101A970540B05ABEB326B10DD4EFA677B8BF00B05F005659B583A14E1DBF8AD84CFA4

Function 007522A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007522BE

Part of subcall function 007529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000), ref: 007529DE
Part of subcall function 007529C8: GetLastError.KERNEL32(00000000,?,0075D7D1,00000000,00000000,00000000,00000000,?,0075D7F8,00000000,00000007,00000000,?,0075DBF5,00000000,00000000), ref: 007529F0

_free.LIBCMT ref: 007522D0
_free.LIBCMT ref: 007522E3
_free.LIBCMT ref: 007522F4
_free.LIBCMT ref: 00752305

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 33e969a4c00ba35876b01ccf1c5b6a54972ed10d8329ee3d10b722b90ce9a5eb
Instruction ID: c9c0f5d13590514f276258a82de53e46846b1a294670ac00dc7a83e85498672e
Opcode Fuzzy Hash: 33e969a4c00ba35876b01ccf1c5b6a54972ed10d8329ee3d10b722b90ce9a5eb
Instruction Fuzzy Hash: CCF03078501110DB8613AF94BC458E83BA4B719752B418506F820F6373C77D1417DFED

Function 007395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007395D4
StrokeAndFillPath.GDI32(?,?,007771F7,00000000,?,?,?), ref: 007395F0
SelectObject.GDI32(?,00000000), ref: 00739603
DeleteObject.GDI32 ref: 00739616
StrokePath.GDI32(?), ref: 00739631

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d946ce43b5ebc77e33619c27ba8880d5268121d6d909dee357cd1b7b12fac38f
Instruction ID: 311ad0614b5f9b0dee9fd264a9b48468d3ad431513a50e63c0d51fdd83ef34f6
Opcode Fuzzy Hash: d946ce43b5ebc77e33619c27ba8880d5268121d6d909dee357cd1b7b12fac38f
Instruction Fuzzy Hash: 21F03C30006248EBEB12AF69ED1CBB93B65AB10322F44C314F565550F1D7BC99A1DFA8

Function 00750F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007510F9
__freea.LIBCMT ref: 00751117

Part of subcall function 00751537: _free.LIBCMT ref: 0075154F

Strings

a/p, xrefs: 007511DE
am/pm, xrefs: 0075117A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a79772a35bf5fc50644e8b24c218d6378b8b3d64deae9b5fc29133748f8b6b2e
Instruction ID: b84e304e25fb932b186e69065875ca311cee8813cb64a0216421c6ccbe3a2c19
Opcode Fuzzy Hash: a79772a35bf5fc50644e8b24c218d6378b8b3d64deae9b5fc29133748f8b6b2e
Instruction Fuzzy Hash: AED1F431A00205DADB249F68C8A5BFAB7B1FF06703FA44159ED059B690D3FD9D88CB91

Function 00755AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOr, xrefs: 00755BA8, 00755C6C

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: JOr
API String ID: 0-1269207774
Opcode ID: 00adb33148c61a3a6e0246936c20daf1128fb8e9700a20de53db96de589f33ab
Instruction ID: 756c582cc12c92b87c3dbda2d79df1213260dc63627d7814b3c678c3db1f8073
Opcode Fuzzy Hash: 00adb33148c61a3a6e0246936c20daf1128fb8e9700a20de53db96de589f33ab
Instruction Fuzzy Hash: 6A51A1B1D0060ADFDB119FA8C859FEE7BB4AF05312F14015AFC05AB291D7BD9A09CB61

Function 00758A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00758B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00758B7A
__dosmaperr.LIBCMT ref: 00758B81

Strings

.t, xrefs: 00758A63

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .t
API String ID: 2434981716-4274973675
Opcode ID: 5ed62ff79a197f54f913e68f6035b269d79900e3e4631d1e252ef86289471f9f
Instruction ID: e1ba877f1fd24ad6cf51e13bd03fbef856a3f85919c8a9d56c10487120b2dd3d
Opcode Fuzzy Hash: 5ed62ff79a197f54f913e68f6035b269d79900e3e4631d1e252ef86289471f9f
Instruction Fuzzy Hash: E841AEF0604045AFDB659F24C880AFD3FE9EB45301F28C199FC55AB252DEB98C068796

Function 00782716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0078B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007821D0,?,?,00000034,00000800,?,00000034), ref: 0078B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00782760

Part of subcall function 0078B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0078B3F8

Part of subcall function 0078B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0078B355
Part of subcall function 0078B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00782194,00000034,?,?,00001004,00000000,00000000), ref: 0078B365
Part of subcall function 0078B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00782194,00000034,?,?,00001004,00000000,00000000), ref: 0078B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007827CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0078281A

Strings

@, xrefs: 00782832

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d7e91c8785e5ff4b474decf0771db3342c1716bc38ec6d1e095ff7991e9639c8
Instruction ID: bafad3fbc6653a5c68954aed5f457d149513720d66a30d7dbe604412b08e71c1
Opcode Fuzzy Hash: d7e91c8785e5ff4b474decf0771db3342c1716bc38ec6d1e095ff7991e9639c8
Instruction Fuzzy Hash: 14411B72940218BFDB11EBA4CD46EEEBBB8EF09700F108095FA55B7181DB746E45CBA1

Function 0075172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00751769
_free.LIBCMT ref: 00751834
_free.LIBCMT ref: 0075183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00751760, 00751767, 00751796, 007517CE

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 8d0925e993c6ac76dd70f8e29482be2adc1dfdff558ff076f91a33c1bb7c1a9d
Instruction ID: 4300b0a0c23fc570bcdf80ff50d572f9e5356d3f89800e91a56a7162d581042c
Opcode Fuzzy Hash: 8d0925e993c6ac76dd70f8e29482be2adc1dfdff558ff076f91a33c1bb7c1a9d
Instruction Fuzzy Hash: 5E319175A00218EFDB21DB999C85EEEBBFCEB89312F904166F81497211D7F85E44CB90

Function 0078C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0078C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0078C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007F1990,010577A8), ref: 0078C395

Strings

0, xrefs: 0078C2DF

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: ff33ec16602b79ac98a0630f84090c415185e601ee0790e5c03efab2387dd957
Instruction ID: 91d2a0e2f8cead7ac7e8409fd5828144c0b82a0ea811e0cc31d1f800e5153353
Opcode Fuzzy Hash: ff33ec16602b79ac98a0630f84090c415185e601ee0790e5c03efab2387dd957
Instruction Fuzzy Hash: CF418D31244301DFD722EF25D885B5ABBE8EF85320F148A2DF9A5972D1D738A905CB62

Function 007B4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007BCC08,00000000,?,?,?,?), ref: 007B44AA
GetWindowLongW.USER32 ref: 007B44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007B44D7

Strings

SysTreeView32, xrefs: 007B447C

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2bd6f53a887443ac6ab5f932afa4588f2229ad924355a91be73b449175e580a0
Instruction ID: 0e46389410d32e01587f13cccd5b6dd7f34f8f5e23978a184be3c1c1179f4a23
Opcode Fuzzy Hash: 2bd6f53a887443ac6ab5f932afa4588f2229ad924355a91be73b449175e580a0
Instruction Fuzzy Hash: 14319C72210645AFDB218E38DC45FEA7BA9EF08334F208715F975921D1D778EC609760

Function 00786E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00786EED
VariantCopyInd.OLEAUT32(?,?), ref: 00786F08
VariantClear.OLEAUT32(?), ref: 00786F12

Strings

*jx, xrefs: 00786E8B, 00786E90, 00786EF8

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jx
API String ID: 2173805711-190275591
Opcode ID: bf4a379d50d68a6727a1dd3e4a864f055556b053cfa0ffd12045a6b5a0377b11
Instruction ID: 92301d31ae2265664dc1574d9f837515c37342cb323d7aa6a2dbc6fbe7cb4d87
Opcode Fuzzy Hash: bf4a379d50d68a6727a1dd3e4a864f055556b053cfa0ffd12045a6b5a0377b11
Instruction Fuzzy Hash: 50319172604255EFCB05BFA4E8559BE7776FF89700B1044A8FA025B2A1C73CD911DB94

Function 007A304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007A335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,007A3077,?,?), ref: 007A3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 007A307A
_wcslen.LIBCMT ref: 007A309B
htons.WSOCK32(00000000,?,?,00000000), ref: 007A3106

Strings

255.255.255.255, xrefs: 007A3095, 007A309A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: a18b8806118a572fdecfa29f4a067e793ac77717e8d71e4be517b6144beae180
Instruction ID: ab47bc4a0683e20a10601a94b405a52faabba2d938a29f92365ce836bed00e6c
Opcode Fuzzy Hash: a18b8806118a572fdecfa29f4a067e793ac77717e8d71e4be517b6144beae180
Instruction Fuzzy Hash: 6131D339204205DFCB10CF68C486EAA77E1EF96318F24C259F9158B392DB3AEE41C760

Function 007B3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007B3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007B3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 007B3F78

Strings

SysMonthCal32, xrefs: 007B3F0B

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fac10c0529f09e9ff2d82c0d4df0dec1223890b0d3529d3fd043708b8cb30ae2
Instruction ID: 075e511c4561503cdae8c4d9edcd2d281422ef4d4ff8ea51c2802013c50652ce
Opcode Fuzzy Hash: fac10c0529f09e9ff2d82c0d4df0dec1223890b0d3529d3fd043708b8cb30ae2
Instruction Fuzzy Hash: 9221BC32600219BFDF229F94CC46FEA3B79EB48724F114215FA156B1D0D6B9A990CBA0

Function 007B4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007B4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007B4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007B471A

Strings

msctls_updown32, xrefs: 007B4684

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: acfc8b8dd1ddd0316edc303d4c64f63996971de8ca371b92a24bac3771a0d1da
Instruction ID: 620a86cdd3d0ad0e1e1755230590eff1a9eca9f3f95c00cefd710512481ae71f
Opcode Fuzzy Hash: acfc8b8dd1ddd0316edc303d4c64f63996971de8ca371b92a24bac3771a0d1da
Instruction Fuzzy Hash: BA2160B5600248AFDB11DF64DCC5EB737BDEB5A3A8B044059FA009B252CB79EC11CA60

Function 007895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0078961D

Strings

#requireadmin, xrefs: 007895D9
#OnAutoItStartRegister, xrefs: 007895F3
#notrayicon, xrefs: 007895B7

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 0827cb80a4563b3cad28132ac7ab1c6794e45b946d5aaa4c65819f6b880580cc
Instruction ID: 5c19055e23542b067b24c7fe9129151da999639f222bc659046e8c4fc9e910b0
Opcode Fuzzy Hash: 0827cb80a4563b3cad28132ac7ab1c6794e45b946d5aaa4c65819f6b880580cc
Instruction Fuzzy Hash: D9213572284620E6D331BA249C0AFBB73989F91710F184026FA59D7181FB6DAD51C3A5

Function 007B37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007B3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007B3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007B3876

Strings

Listbox, xrefs: 007B380F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3b7704d0ecbc8d8a76ee1f5c42dd005456b5ca44230f3ec819db748f07737a5a
Instruction ID: aedd6953d6663e9d5241cf31fa9f77cf3730c60cb673fdad2091c66f7d289b24
Opcode Fuzzy Hash: 3b7704d0ecbc8d8a76ee1f5c42dd005456b5ca44230f3ec819db748f07737a5a
Instruction Fuzzy Hash: 6621BE72610218BBEB218F54DC85FFB376EEF89760F108124F9049B190CA79DC9287A0

Function 007949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00794A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00794A5C
SetErrorMode.KERNEL32(00000000,?,?,007BCC08), ref: 00794AD0

Strings

%lu, xrefs: 00794A6F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a24eb642be6bff4a704b82201b32fbe943b2fc6a43b378478a58ee5ae83298f4
Instruction ID: b87b411c81d5b3212401b1948ae76effddb158888324bb82dc030dcb50240fa1
Opcode Fuzzy Hash: a24eb642be6bff4a704b82201b32fbe943b2fc6a43b378478a58ee5ae83298f4
Instruction Fuzzy Hash: F6315271A00108EFDB10DF64D885EAA77F8EF04304F148099F505DB252D779ED45CB61

Function 007B41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007B424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007B4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007B4271

Strings

msctls_trackbar32, xrefs: 007B4226

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: ccc0eb4254e1c8365547209f38290c758a0254099cd26e5ea1b32ee779bebbe5
Instruction ID: 64420513b07e352d64067b8686df7eed3ccf02ef9548fdbb72cf65573203758a
Opcode Fuzzy Hash: ccc0eb4254e1c8365547209f38290c758a0254099cd26e5ea1b32ee779bebbe5
Instruction Fuzzy Hash: 8811E371240248BEEF209E29CC06FEB3BACEF95B64F014114FA55E2091D275DC11DB50

Function 00782F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

Part of subcall function 00782DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00782DC5
Part of subcall function 00782DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00782DD6
Part of subcall function 00782DA7: GetCurrentThreadId.KERNEL32 ref: 00782DDD
Part of subcall function 00782DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00782DE4

GetFocus.USER32 ref: 00782F78

Part of subcall function 00782DEE: GetParent.USER32(00000000), ref: 00782DF9

GetClassNameW.USER32(?,?,00000100), ref: 00782FC3
EnumChildWindows.USER32(?,0078303B), ref: 00782FEB

Strings

%s%d, xrefs: 00782FFF

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 65f8a4938ca0eeac5c23516c7f44bf41eb24805a7eeb791f3c8855bd37e4b613
Instruction ID: 77d2f1eb9f03c23071a2d2b082e1945336fc3ff4b1913b27b62ef107ce71d015
Opcode Fuzzy Hash: 65f8a4938ca0eeac5c23516c7f44bf41eb24805a7eeb791f3c8855bd37e4b613
Instruction Fuzzy Hash: 3811E4B1700205ABCF557F749C89FED376AAF84304F048076F9099B252DE3899068B70

Function 007B5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007B58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007B58EE
DrawMenuBar.USER32(?), ref: 007B58FD

Strings

0, xrefs: 007B588F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: f6aeaa9c8ae48b98b56364202a183f570d668569cf0fa77154b89292e27113db
Instruction ID: 3f3c02f8a5e6d3e326392647fd13d3a27a0cb48b37af3ac341bd1d5fd56a2b05
Opcode Fuzzy Hash: f6aeaa9c8ae48b98b56364202a183f570d668569cf0fa77154b89292e27113db
Instruction Fuzzy Hash: 2C011B31500218EEDB219F11DC48FEEBBB4FF45361F14C0AAE849D6151DB389A94DF21

Function 0078007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7229d9bb49d975b8044a7205e94e1acd5902bd50d89692805df608e686c37868
Instruction ID: beb5c999b15340eb66565049f4104d4823313905532ab39e39f5f0e445e32de4
Opcode Fuzzy Hash: 7229d9bb49d975b8044a7205e94e1acd5902bd50d89692805df608e686c37868
Instruction Fuzzy Hash: FDC17A75A0020AEFDB54DFA8C888EAEB7B5FF48314F208598E405EB251D774EE45DB90

Function 007A342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007A3459
CoUninitialize.OLE32 ref: 007A3463
VariantInit.OLEAUT32(?), ref: 007A346E
VariantClear.OLEAUT32(?), ref: 007A371B

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: e8969c6c5458568d3a2edce163c74e59332a31620c22c69d967eeae93917e457
Instruction ID: f623266eebdf462cbd0b529958e12822c187bae7847e0ff6fba8f80464d020ee
Opcode Fuzzy Hash: e8969c6c5458568d3a2edce163c74e59332a31620c22c69d967eeae93917e457
Instruction Fuzzy Hash: 8DA14B75604310DFC704DF29C589A2AB7E5FF89714F048959F98A9B362DB38EE01CB91

Function 00780436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007BFC08,?), ref: 007805F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007BFC08,?), ref: 00780608
CLSIDFromProgID.OLE32(?,?,00000000,007BCC40,000000FF,?,00000000,00000800,00000000,?,007BFC08,?), ref: 0078062D
_memcmp.LIBVCRUNTIME ref: 0078064E

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 72c388ec5e4eb6141d4d926b97dc8f737ba19ce2185524f38239986395cbef3f
Instruction ID: 9512a3450d646296760a982eed8076d5cb3263b5e906222142e74f4992c5e534
Opcode Fuzzy Hash: 72c388ec5e4eb6141d4d926b97dc8f737ba19ce2185524f38239986395cbef3f
Instruction Fuzzy Hash: C3811E71A00109EFCB44DF94C984EEEB7B9FF89315F144558F506AB250DB75AE0ACBA0

Function 007AA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007AA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 007AA6BA

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Process32NextW.KERNEL32(00000000,?), ref: 007AA79C
CloseHandle.KERNEL32(00000000), ref: 007AA7AB

Part of subcall function 0073CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00763303,?), ref: 0073CE8A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 31849a4f6fa83141e5498818b906d940f2ed6c76a652c2c4917f9a0ea47f7d4c
Instruction ID: 9678dfd305ece0c81be0e0baccc2d1e197e49cedc36992415d92b166dddedf96
Opcode Fuzzy Hash: 31849a4f6fa83141e5498818b906d940f2ed6c76a652c2c4917f9a0ea47f7d4c
Instruction Fuzzy Hash: 84512A71508350EFD710EF24D88AA6BBBE8FF89754F04892DF58597252EB38D904CB92

Function 00761391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007614C0

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7bba1f49bc5fee3ced2c5de7b978bcda941197425a3b69ed4308fb7efb591f2b
Instruction ID: 6739694941d0a3961cdfc15a57b241c6ac8feaa4f2d21008d1935b52e1ad0504
Opcode Fuzzy Hash: 7bba1f49bc5fee3ced2c5de7b978bcda941197425a3b69ed4308fb7efb591f2b
Instruction Fuzzy Hash: F8410A31900150EBDB21ABB98C4EAEE3EA4EF41370F5C4225FC1BD7292EB7C8C455661

Function 007B6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007B62E2
ScreenToClient.USER32(?,?), ref: 007B6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 007B6382

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 5048564e02823b29da9f3da317de4ddd09ec810b36a569024d0c6c05d6c38e21
Instruction ID: d6d6e9f7a03788afd8f2c38de2a9f86d9ff363aa38065f5a75de8cf0c261372c
Opcode Fuzzy Hash: 5048564e02823b29da9f3da317de4ddd09ec810b36a569024d0c6c05d6c38e21
Instruction Fuzzy Hash: 3D512975A00249EFDF10DF58D884AEE7BB5FB55360F108269FA1597290D738AD41CB90

Function 007A1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007A1AFD
WSAGetLastError.WSOCK32 ref: 007A1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 007A1B8A
WSAGetLastError.WSOCK32 ref: 007A1B94

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 7a346e272ef8ddd36f6f7a729ee117333f0b6ac9d00f1f4b56ec64a8283a074f
Instruction ID: 239d05657207aefb71424f822b33d6c0ec5db70007da3ecae57e3770b2ee2bea
Opcode Fuzzy Hash: 7a346e272ef8ddd36f6f7a729ee117333f0b6ac9d00f1f4b56ec64a8283a074f
Instruction Fuzzy Hash: A041D074600210AFE720AF20D88AF2977E5AB89718F54C548F91A9F7D3D77ADD41CB90

Function 0075B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2baab0df64a12aff78bf10559e7009687292d649066a7a6d75706ad40749df49
Instruction ID: d965b91143fe29a9e8beb6996d9b3f5e86bd18d3cd57efbc07e681049b0fc9aa
Opcode Fuzzy Hash: 2baab0df64a12aff78bf10559e7009687292d649066a7a6d75706ad40749df49
Instruction Fuzzy Hash: CE410A72A00354FFD7249F38CC45BBA7BA9EB88711F10452EF951DB682D7B9A9058780

Function 007956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00795783
GetLastError.KERNEL32(?,00000000), ref: 007957A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007957CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007957FA

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a715b505fc00ed2fb884f1bcc6b7509c8b8284920c2124999bddef6ce041242f
Instruction ID: b5ed94fc9e3696c42ed684681634d1d600ca7dc0594febc4d0ef77155e6fc297
Opcode Fuzzy Hash: a715b505fc00ed2fb884f1bcc6b7509c8b8284920c2124999bddef6ce041242f
Instruction Fuzzy Hash: 02411E35600620DFCB15EF55D548A5EBBF2EF89320B19C488E84A6B362CB38FD40CB91

Function 0075D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00746D71,00000000,00000000,007482D9,?,007482D9,?,00000001,00746D71,?,00000001,007482D9,007482D9), ref: 0075D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0075D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0075D9AB
__freea.LIBCMT ref: 0075D9B4

Part of subcall function 00753820: RtlAllocateHeap.NTDLL(00000000,?,007F1444,?,0073FDF5,?,?,0072A976,00000010,007F1440,007213FC,?,007213C6,?,00721129), ref: 00753852

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 5736278f94538e1ea60fbe2997ffca0493be35a9c8b40ba6ab99ba92b75e54ed
Instruction ID: 5bdf96d7c003cb2630716edce391471ce8788b1938cd883311bff4dd54aa4213
Opcode Fuzzy Hash: 5736278f94538e1ea60fbe2997ffca0493be35a9c8b40ba6ab99ba92b75e54ed
Instruction Fuzzy Hash: 5831D072A0020AABDF35DF64DC45EEE7BA5EB41311B054268FC04E7151EB79ED58CBA0

Function 007B52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 007B5352
GetWindowLongW.USER32(?,000000F0), ref: 007B5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007B5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007B53A8

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: e9a07a5e068beff87f24d7fdc2b7f55e7ea57e204befc1345e9737972ca70295
Instruction ID: ebc9f6b9fbdc799d460b1c7cc0a3a9108322b3431349c98687aeefee402f6974
Opcode Fuzzy Hash: e9a07a5e068beff87f24d7fdc2b7f55e7ea57e204befc1345e9737972ca70295
Instruction Fuzzy Hash: 1331C234A55A08EFEB309E14CC59FE877E5AB04398F588102FA11973E1C7BDA980DB41

Function 0078AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0078ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0078AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0078AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0078ACC6

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 540670645f68193e7f0772893d4f3cfdc271fce73083d521a0c7e37200a812ee
Instruction ID: 80121e8bd82f29ad926f4620428e598d7aef460a170390323d6b536e479ab5de
Opcode Fuzzy Hash: 540670645f68193e7f0772893d4f3cfdc271fce73083d521a0c7e37200a812ee
Instruction Fuzzy Hash: 62310970A80718BFFF35EB658C08BFA7BA5AB49310F08831BE585521D1D37D89858772

Function 007B7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007B769A
GetWindowRect.USER32(?,?), ref: 007B7710
PtInRect.USER32(?,?,007B8B89), ref: 007B7720
MessageBeep.USER32(00000000), ref: 007B778C

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2521de080df93f1277eb67ea10d5ff486fe8f83104f845da42c2e6d5029a5c5d
Instruction ID: 6b0bfea419620c27f265380b84ec77ef6ed7deeb2103d5ef5332ca96c57490cc
Opcode Fuzzy Hash: 2521de080df93f1277eb67ea10d5ff486fe8f83104f845da42c2e6d5029a5c5d
Instruction Fuzzy Hash: A7419A34A09254DFCB19CF58C898FE9B7F4FF88314F5981A8E8159B261CB78E941CB90

Function 007B16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007B16EB

Part of subcall function 00783A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00783A57
Part of subcall function 00783A3D: GetCurrentThreadId.KERNEL32 ref: 00783A5E
Part of subcall function 00783A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007825B3), ref: 00783A65

GetCaretPos.USER32(?), ref: 007B16FF
ClientToScreen.USER32(00000000,?), ref: 007B174C
GetForegroundWindow.USER32 ref: 007B1752

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 46801c79989b75fda6bb4e5bd4a88097eb635a7baa742fa2fa9d4c31a7264359
Instruction ID: ccb5e6daf79c39eb91e75e179e7a48981add1a5e38fa9a1995c0c8eda4400a1c
Opcode Fuzzy Hash: 46801c79989b75fda6bb4e5bd4a88097eb635a7baa742fa2fa9d4c31a7264359
Instruction Fuzzy Hash: D3318F71D00148EFCB04EFA9D885DEEBBF9EF48304B5480AAE415E7211DB389E45CBA0

Function 0078DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00727620: _wcslen.LIBCMT ref: 00727625

_wcslen.LIBCMT ref: 0078DFCB
_wcslen.LIBCMT ref: 0078DFE2
_wcslen.LIBCMT ref: 0078E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0078E018

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: af965a7e029d3deb406a5c80f523ecbacb1137c2b33fa297e2a62766e4d4dea3
Instruction ID: a95618c95a5e69a818029822797783e85cb36f94b58e6f311a7c3b7501e8f4a9
Opcode Fuzzy Hash: af965a7e029d3deb406a5c80f523ecbacb1137c2b33fa297e2a62766e4d4dea3
Instruction Fuzzy Hash: CC21D371940214EFCB20AFA8D985BAEB7F8EF45750F104064E904BB285D7789E41CBA1

Function 007B8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

GetCursorPos.USER32(?), ref: 007B9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00777711,?,?,?,?,?), ref: 007B9016
GetCursorPos.USER32(?), ref: 007B905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00777711,?,?,?), ref: 007B9094

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2280be6ce295730424608a077dbb00e95dcbc7c0eea3b58582e105f244ba384c
Instruction ID: 6a09516849854c49cfd470b1d7fead2c31df6e78ed1971f7e12fb451c844e7ea
Opcode Fuzzy Hash: 2280be6ce295730424608a077dbb00e95dcbc7c0eea3b58582e105f244ba384c
Instruction Fuzzy Hash: 6321BF31600018EFDB26DF94C898FFA7BB9EF8A360F108165FB1547261C379A950DB60

Function 0078D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007BCB68), ref: 0078D2FB
GetLastError.KERNEL32 ref: 0078D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0078D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007BCB68), ref: 0078D376

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c97db43c610ac57886f807fbc0b7d17fe9d736708ca10d25714b1eecb1c790ff
Instruction ID: fae74dde8452c25d0df3ed90d7e1c12657d12e9fad77aba1baa14eae2b1810d1
Opcode Fuzzy Hash: c97db43c610ac57886f807fbc0b7d17fe9d736708ca10d25714b1eecb1c790ff
Instruction Fuzzy Hash: EC218D70548201DF8720EF28D8859AEB7E4BE5A324F148A1DF499C72E1E7389D45CB93

Function 00781571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00781014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0078102A
Part of subcall function 00781014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00781036
Part of subcall function 00781014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00781045
Part of subcall function 00781014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0078104C
Part of subcall function 00781014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00781062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007815BE
_memcmp.LIBVCRUNTIME ref: 007815E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00781617
HeapFree.KERNEL32(00000000), ref: 0078161E

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: a53d4f7af5bad62f3c8a386a2adfe0c6e4fd33cc6b14df297fb13f5538b04f01
Instruction ID: 5f244c7a0dbd0743eca8a61793298a7d0eefa072aa2153d3a11165bd0402facf
Opcode Fuzzy Hash: a53d4f7af5bad62f3c8a386a2adfe0c6e4fd33cc6b14df297fb13f5538b04f01
Instruction Fuzzy Hash: 80218E71E40108EFDF00EFA4C949BEEB7B8FF44344F498459E441AB241EB38AA06CB60

Function 007B2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 007B280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007B2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007B2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007B2840

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 489cdd5b63d9d1683826df7923625516100f8dcef6d59c5fea1b889ff41a2ec8
Instruction ID: 2110a0366a82bf026af0a19d57cdfc5fa0e949a76919cedcc2bd5df9990ea11c
Opcode Fuzzy Hash: 489cdd5b63d9d1683826df7923625516100f8dcef6d59c5fea1b889ff41a2ec8
Instruction Fuzzy Hash: E721B331206511AFD7159B24C845FEA7B99AF49324F248258F4268B6E3CB79FC42C7D4

Function 007878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00788D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0078790A,?,000000FF,?,00788754,00000000,?,0000001C,?,?), ref: 00788D8C
Part of subcall function 00788D7D: lstrcpyW.KERNEL32(00000000,?,?,0078790A,?,000000FF,?,00788754,00000000,?,0000001C,?,?,00000000), ref: 00788DB2
Part of subcall function 00788D7D: lstrcmpiW.KERNEL32(00000000,?,0078790A,?,000000FF,?,00788754,00000000,?,0000001C,?,?), ref: 00788DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00788754,00000000,?,0000001C,?,?,00000000), ref: 00787923
lstrcpyW.KERNEL32(00000000,?,?,00788754,00000000,?,0000001C,?,?,00000000), ref: 00787949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00788754,00000000,?,0000001C,?,?,00000000), ref: 00787984

Strings

cdecl, xrefs: 0078797B

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b2e93ce979376e7750ce76dd95aff2f6a1a58389f3f1632d79cc58be79c24624
Instruction ID: 3502346f67719e85c0619be2d8b0c61841b8ebd3490d5234e0f660097800c348
Opcode Fuzzy Hash: b2e93ce979376e7750ce76dd95aff2f6a1a58389f3f1632d79cc58be79c24624
Instruction Fuzzy Hash: 1A11293A240306ABDB15AF39C844E7A77A9FF49390B50802AF842CB265EF39D801C761

Function 007B7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 007B7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 007B7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007B7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0079B7AD,00000000), ref: 007B7D6B

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: fa9e8f2a2bf8deaf9c3fde558c66e5b191435532ad0b993bd0b3d9a4d8930b68
Instruction ID: f10469134f0c342dcf052d5465ed65731aeb8d8fc84fe2008f7817d3d5bdf595
Opcode Fuzzy Hash: fa9e8f2a2bf8deaf9c3fde558c66e5b191435532ad0b993bd0b3d9a4d8930b68
Instruction Fuzzy Hash: 6E118E31604655AFCB159F28CC04FB63BA5AF853A0F258724F839DB2E0E7399950DB90

Function 007B5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007B56BB
_wcslen.LIBCMT ref: 007B56CD
_wcslen.LIBCMT ref: 007B56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 007B5816

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 434f1e7a83aecc83a51e31c57fdd6aa23ec9599ceee9ff2ff4fbcf8c8985ecb1
Instruction ID: c105685191db4e602cc1652e6b77fc5ce2e18a8dc5ca2f6140a9a41ff8029a1b
Opcode Fuzzy Hash: 434f1e7a83aecc83a51e31c57fdd6aa23ec9599ceee9ff2ff4fbcf8c8985ecb1
Instruction Fuzzy Hash: 4411D071A00608EADB209F61CC85FEE77ACEF10768F508166F915D6081EBB8DA80CB64

Function 00751D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc283a5f26f52e139fb5e253d4387e9207cec73218e4097a9845f248d5ba10f
Instruction ID: 1c4cc0964b357f796f472ab36bea0c56972c20abdfbdc8029f54be16a33b8b26
Opcode Fuzzy Hash: bbc283a5f26f52e139fb5e253d4387e9207cec73218e4097a9845f248d5ba10f
Instruction Fuzzy Hash: 5F0184B230571A7EF62116786CC4FA7672CDF413BBB754325FD31611D2DBA89C484260

Function 00781A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00781A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00781A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00781A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00781A8A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 79a630911ac2efc7df43c016cd1712480cdfd76303190cb8fb0f705e1ea30060
Instruction ID: 2a17043ccd7cd7d6657d32658ab30b6d3d7e3c82133e725c80fc30ef9e85a6ef
Opcode Fuzzy Hash: 79a630911ac2efc7df43c016cd1712480cdfd76303190cb8fb0f705e1ea30060
Instruction Fuzzy Hash: 8C11393AD41219FFEB11EBA4CD85FADBB78EB08750F204091EA10B7290D6716E51DB94

Function 0078E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0078E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0078E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0078E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0078E24D

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 78f85d539a07725d0c4928dc08931eaaf66d1f26755720cb9f0bc5fbbb25d586
Instruction ID: 82de79e1d9b702deb8d3cb43ba28138a35927d996f4557e3f5f2e8d1ae46a856
Opcode Fuzzy Hash: 78f85d539a07725d0c4928dc08931eaaf66d1f26755720cb9f0bc5fbbb25d586
Instruction Fuzzy Hash: AF110872904218BBC701AFA89C09EAE7FADAF45310F40C325F814E3290D7B88D0087A4

Function 0074D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0074CFF9,00000000,00000004,00000000), ref: 0074D218
GetLastError.KERNEL32 ref: 0074D224
__dosmaperr.LIBCMT ref: 0074D22B
ResumeThread.KERNEL32(00000000), ref: 0074D249

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a29896c1fe7feb3056fb1c47c738f829be80a04c967bc6a19e3e38743af54005
Instruction ID: b3acd5cb2ee1bb5f86438292431c7ec8ddaf60a3c8c55aff6e832e25f82b5b32
Opcode Fuzzy Hash: a29896c1fe7feb3056fb1c47c738f829be80a04c967bc6a19e3e38743af54005
Instruction Fuzzy Hash: F201D276805218BBCB215BA5DC0DBAE7AA9EF81331F108319F925921D0DBB8CD01C6A1

Function 007B9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00739BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00739BB2

GetClientRect.USER32(?,?), ref: 007B9F31
GetCursorPos.USER32(?), ref: 007B9F3B
ScreenToClient.USER32(?,?), ref: 007B9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 007B9F7A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9eef1ebf3f81f0c37849a04840a878fc73e33f47872d7de523b4ace5f6a82188
Instruction ID: 7b40996afb7d53504faec80f550f873462f0a536278920d933a7d63d3cef2857
Opcode Fuzzy Hash: 9eef1ebf3f81f0c37849a04840a878fc73e33f47872d7de523b4ace5f6a82188
Instruction Fuzzy Hash: 4611283190011AEFDB11DF98C849EFE77B8EB45321F504551FA11E3150D738BA91CBA5

Function 0072600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0072604C
GetStockObject.GDI32(00000011), ref: 00726060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0072606A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 44292af1c72ba2b897728120906b605181e91cef1f492b38d1c85644faa4b952
Instruction ID: 86cc5acf850e205278b5e416e48bb3c62839b7d0c0281ff1945fa4c80b104ada
Opcode Fuzzy Hash: 44292af1c72ba2b897728120906b605181e91cef1f492b38d1c85644faa4b952
Instruction Fuzzy Hash: 26116172501558FFEF224FA49C44EFA7B69EF19354F048216FA1556110D73ADC60EBA0

Function 00743B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00743B56

Part of subcall function 00743AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00743AD2
Part of subcall function 00743AA3: ___AdjustPointer.LIBCMT ref: 00743AED

_UnwindNestedFrames.LIBCMT ref: 00743B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00743B7C
CallCatchBlock.LIBVCRUNTIME ref: 00743BA4

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: c43f93f0c0d772068d3be6377c8bbc7af6e82f94aa86e22c12dcb7e07a29fc5f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 84012972100148BBDF126E95CC46EEB3B6EEF48754F044014FE4896121C73AE961EBA0

Function 00753073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007213C6,00000000,00000000,?,0075301A,007213C6,00000000,00000000,00000000,?,0075328B,00000006,FlsSetValue), ref: 007530A5
GetLastError.KERNEL32(?,0075301A,007213C6,00000000,00000000,00000000,?,0075328B,00000006,FlsSetValue,007C2290,FlsSetValue,00000000,00000364,?,00752E46), ref: 007530B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0075301A,007213C6,00000000,00000000,00000000,?,0075328B,00000006,FlsSetValue,007C2290,FlsSetValue,00000000), ref: 007530BF

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 7fcd9ea8b66c5a36a67142b8354de03f17eed054a4d553675c992a28c4284e7e
Instruction ID: cebf6ef9c5f9f472e3592c3dba6971eec5121d5380fcc4f6b34c1909a3e181ab
Opcode Fuzzy Hash: 7fcd9ea8b66c5a36a67142b8354de03f17eed054a4d553675c992a28c4284e7e
Instruction Fuzzy Hash: B101D832301326ABCB324A789C44EA77799AF457E2B108724FD0DE31A0C769D909C6E4

Function 00787464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0078747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00787497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007874AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007874CA

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: ed382717a3f0b30a26bcb96255fe17ff144aa1596219e16fe519c1c9e33db639
Instruction ID: cdf3cca32117d33315339ae22fca7c5816727962b7edabfc20d685fe6693fe4a
Opcode Fuzzy Hash: ed382717a3f0b30a26bcb96255fe17ff144aa1596219e16fe519c1c9e33db639
Instruction Fuzzy Hash: 0111C0B1249354AFE720AF54DC08F927FFCEB00B10F20C569A65BD6191D7B8E904DB60

Function 0078B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0078ACD3,?,00008000), ref: 0078B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0078ACD3,?,00008000), ref: 0078B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0078ACD3,?,00008000), ref: 0078B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0078ACD3,?,00008000), ref: 0078B126

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 79521e0f83aea65540c89d4b5d42402e9e8c4d3381bf4bbad624396121ca3054
Instruction ID: 1e51b87e0e1d8d23c667633dbc3cda61381f013d91a2f102a2419cf807cadeb8
Opcode Fuzzy Hash: 79521e0f83aea65540c89d4b5d42402e9e8c4d3381bf4bbad624396121ca3054
Instruction Fuzzy Hash: 31115E71C4151CD7CF00EFE8D959BEEBB78FF09711F108186D981B6181CB3855508B55

Function 007B7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007B7E33
ScreenToClient.USER32(?,?), ref: 007B7E4B
ScreenToClient.USER32(?,?), ref: 007B7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007B7E8A

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a502d022bef1e5f4679da5c62f4de1370ef4b2d6002b7452c2b6645c498dcbd3
Instruction ID: 49f8c9c6e956400400dc84a110ab893a4424e388a17da8a219d2e2235ed1c453
Opcode Fuzzy Hash: a502d022bef1e5f4679da5c62f4de1370ef4b2d6002b7452c2b6645c498dcbd3
Instruction Fuzzy Hash: 671153B9D0020AAFDB41CF98C884AEEBBF9FF08310F509166E915E3210D735AA54CF94

Function 00782DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00782DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00782DD6
GetCurrentThreadId.KERNEL32 ref: 00782DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00782DE4

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 990f36f13be58249423e3aa92686c0c60a10ec6ee158c53da8fa94755c0aeb4f
Instruction ID: 6fae2c2d63ea5babf15a5e158485204c6fb1bb806dbccb74411ebefef74a4c46
Opcode Fuzzy Hash: 990f36f13be58249423e3aa92686c0c60a10ec6ee158c53da8fa94755c0aeb4f
Instruction Fuzzy Hash: 51E092726412287BD7212B729C0EFEB3F6CEF42BA6F008215F505D10819AA8C841C7B0

Function 007B8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00739639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00739693
Part of subcall function 00739639: SelectObject.GDI32(?,00000000), ref: 007396A2
Part of subcall function 00739639: BeginPath.GDI32(?), ref: 007396B9
Part of subcall function 00739639: SelectObject.GDI32(?,00000000), ref: 007396E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 007B8887
LineTo.GDI32(?,?,?), ref: 007B8894
EndPath.GDI32(?), ref: 007B88A4
StrokePath.GDI32(?), ref: 007B88B2

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a87f54fea576532c8e2db07e5e1106584a745ed24083b3a1806acff258ba61ad
Instruction ID: b5201b8e6fbd425f5a5e5877a14a769954e5a143e7d48b0deb23876a49c527b0
Opcode Fuzzy Hash: a87f54fea576532c8e2db07e5e1106584a745ed24083b3a1806acff258ba61ad
Instruction Fuzzy Hash: 7BF0DA36045259FBEB136F94AC0AFDA3B59AF06310F44C100FA11651E2C7BD5551DFE9

Function 007398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007398CC
SetTextColor.GDI32(?,?), ref: 007398D6
SetBkMode.GDI32(?,00000001), ref: 007398E9
GetStockObject.GDI32(00000005), ref: 007398F1

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 5430b0b6839450a7592fedb3d42668541ec3eab605523ca4aa2503b5e4902a97
Instruction ID: d4ebb8f8de0cf29b840c937708d2f65018c6fbbdf6a357c4182c8177c70ba4f3
Opcode Fuzzy Hash: 5430b0b6839450a7592fedb3d42668541ec3eab605523ca4aa2503b5e4902a97
Instruction Fuzzy Hash: 68E06531244288AADF225B78AC09FD83F10AB52375F14C319F6F9580E1C3794650DB11

Function 0078162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00781634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007811D9), ref: 0078163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007811D9), ref: 00781648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007811D9), ref: 0078164F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: d84c7b0335d6f14369b2cbd7c35aab0e5532885cf085a2f9ec2fc4dcefcb51d5
Instruction ID: 15f7d0dee222070a1e3fae8d9476d905fcd4d41877b50192a570d2f12d2a33d5
Opcode Fuzzy Hash: d84c7b0335d6f14369b2cbd7c35aab0e5532885cf085a2f9ec2fc4dcefcb51d5
Instruction Fuzzy Hash: 00E08631641211DBD7202FA09E0DF863B7CAF44791F18C918F285C9080EA3C4441C768

Function 0077D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0077D858
GetDC.USER32(00000000), ref: 0077D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0077D882
ReleaseDC.USER32(?), ref: 0077D8A3

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3f29b802b07d453645da1d56d67a0524c7a542e151d0c9e6fb51e784ed238850
Instruction ID: 5e684de502ae1bfb9a021cdac35f4e65f5d08181042d8b92e1738911b9f38695
Opcode Fuzzy Hash: 3f29b802b07d453645da1d56d67a0524c7a542e151d0c9e6fb51e784ed238850
Instruction Fuzzy Hash: 58E0EEB5800204EFCB52AFA4A908F6DBBB2AB48310F24C109E80AA7250CB3C8941AF54

Function 0077D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0077D86C
GetDC.USER32(00000000), ref: 0077D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0077D882
ReleaseDC.USER32(?), ref: 0077D8A3

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b8ad6a53ee025b5517d18c1d968c97f4c065eb4fac9a88ec1d3517470a5d9afc
Instruction ID: cc520ff010676c58d9a715659180d44db1ccefe452dd485244f62db69a4d43b0
Opcode Fuzzy Hash: b8ad6a53ee025b5517d18c1d968c97f4c065eb4fac9a88ec1d3517470a5d9afc
Instruction Fuzzy Hash: CBE012B5C00204EFCB52AFA4E80CF6DBBB1BB48314F14C108E90AE7250CB3C9901AF54

Function 00794D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00727620: _wcslen.LIBCMT ref: 00727625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00794ED4

Strings

*, xrefs: 00794E10
LPT, xrefs: 00794DFB

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: d4cbf76e9f2631fb06e65c19b265baab3988bdea88f9cfa273e5bdbfa4cbb47c
Instruction ID: d479f08cf2155383bb457cacb0f9709effdfb844d93c1bf0e687175a5ee3acc5
Opcode Fuzzy Hash: d4cbf76e9f2631fb06e65c19b265baab3988bdea88f9cfa273e5bdbfa4cbb47c
Instruction Fuzzy Hash: 32915175A00215DFCB14DF58D484EAABBF2BF48304F188099E40A9F762D739ED86CB91

Function 0074E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0074E30D

Strings

pow, xrefs: 0074E2E5, 0074E302

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: ef46d9ab1c1163840fb1ae754fd0a41da448fa1eba889855cce0b4227f8e94d7
Instruction ID: c6974472c3755f36022c94834956d9cd03a58871e3e708a32be99beac2a0568a
Opcode Fuzzy Hash: ef46d9ab1c1163840fb1ae754fd0a41da448fa1eba889855cce0b4227f8e94d7
Instruction Fuzzy Hash: BB518261A0C301D6CB1A7B14ED467F93BA4FB40762F30895CF8D5422E9DBBD8C89D646

Function 007A7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0077569E,00000000,?,007BCC08,?,00000000,00000000), ref: 007A78DD

Part of subcall function 00726B57: _wcslen.LIBCMT ref: 00726B6A

CharUpperBuffW.USER32(0077569E,00000000,?,007BCC08,00000000,?,00000000,00000000), ref: 007A783B

Strings

<s~, xrefs: 007A77C8

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s~
API String ID: 3544283678-1637856232
Opcode ID: 8beddbfb0637aa2016b82a9894acdea6c5f84e9d3d3c5c68584f0b0e33eb085b
Instruction ID: 05bb61105b9f869cab0df6c3fd89ca4cdf3f171a5a3b474ada33c8ca00da4505
Opcode Fuzzy Hash: 8beddbfb0637aa2016b82a9894acdea6c5f84e9d3d3c5c68584f0b0e33eb085b
Instruction Fuzzy Hash: 6C614F72914128EBCF09EBA4DC95DFEB378BF59300F444226E542A7091EB3C6A45CBA0

Function 0073E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0073E1B1

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 083721cf6e78bd9576ef407444bc60693d0c899cbd6c1fc6b190ed857f772ab4
Instruction ID: d03b60f9a871b00c57ff2e2f0336579f4ee1f744c7efbd8856bd734cb0570b4d
Opcode Fuzzy Hash: 083721cf6e78bd9576ef407444bc60693d0c899cbd6c1fc6b190ed857f772ab4
Instruction Fuzzy Hash: 79512235500346DFEF19DF68C085ABA7BA8FF19350F2480A5F8959B2D1DA3C9D52CBA0

Function 0073F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0073F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0073F2BB

Strings

@, xrefs: 0073F2AF

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f1f73f05d1ef85006860432419f599978a8c26d68534007ca04b74a5fa8c14ed
Instruction ID: 9f8a9214d29e5338291f142de3549051b1c32a4948f544102a0a9049bd9f4582
Opcode Fuzzy Hash: f1f73f05d1ef85006860432419f599978a8c26d68534007ca04b74a5fa8c14ed
Instruction Fuzzy Hash: D9512772408744EBD320AF50E98ABAFBBF8FB94300F81885DF1D941195EB748529CB66

Function 007A5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007A57E0
_wcslen.LIBCMT ref: 007A57EC

Strings

CALLARGARRAY, xrefs: 007A57E6, 007A57EB

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 85dfcccd80e9c80ee5ede32e5809ba694f3668ee0672d712221cd32e88abc3bb
Instruction ID: 708ea3ef1536df7f37a7f78299d3e05f2db1ac4c93acb42c30601baf0be1926a
Opcode Fuzzy Hash: 85dfcccd80e9c80ee5ede32e5809ba694f3668ee0672d712221cd32e88abc3bb
Instruction Fuzzy Hash: A4419F31E00209DFCB14DFA9C8859AEBBB5FF9A364F144169E505A7252E73C9D81CFA0

Function 0079D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0079D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0079D13A

Strings

|, xrefs: 0079D10B

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 504078f4b6b96a72e2ee8f01dafd7206998bdd4b148cb8d39030ed9757034510
Instruction ID: 82465d850ad8969c3999721f56ddd9292adbe83c1c53fefd6b9a6fe0e427a25e
Opcode Fuzzy Hash: 504078f4b6b96a72e2ee8f01dafd7206998bdd4b148cb8d39030ed9757034510
Instruction Fuzzy Hash: 3D313E71D01219EBCF15EFA4DC89AEE7FB9FF04300F104019F915A6162E739AA56DB50

Function 007B356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007B3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007B365C

Strings

static, xrefs: 007B35BC

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8c2710a0afc49a33ed2d7422b7c4bb7ff49a8efa025eb6a6afb488de7243b0b3
Instruction ID: 97ee5df688fc79cbb56d80734d424034d423cb932e2d190afb00e7f545847c51
Opcode Fuzzy Hash: 8c2710a0afc49a33ed2d7422b7c4bb7ff49a8efa025eb6a6afb488de7243b0b3
Instruction Fuzzy Hash: 44318D71110604AADB24DF38DC80FFB73A9FF88724F009619F8A597280DA38AD91D760

Function 007B4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 007B461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007B4634

Strings

', xrefs: 007B458E

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c30104a9b7825d56dc84ba1c2523764c0408637e5eefd9764b02de9fc155fee5
Instruction ID: 1352a1d1af634d512dacae3935aafc04e0233338fd13a27aff099cac5ef69ed6
Opcode Fuzzy Hash: c30104a9b7825d56dc84ba1c2523764c0408637e5eefd9764b02de9fc155fee5
Instruction Fuzzy Hash: 64313974A00719AFDF14CFA9C980BEA7BB5FF09304F10406AE904AB342D774A951CF90

Function 007B31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007B327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007B3287

Strings

Combobox, xrefs: 007B3249

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ba8f39d00fc7f6f9f9c30ebac32b8127d70f48f1b89d2b6ff4072b5f17c8461d
Instruction ID: bd43717908a575c70ba28852c55b2991eeee3e648b59050ad59771c873c9419b
Opcode Fuzzy Hash: ba8f39d00fc7f6f9f9c30ebac32b8127d70f48f1b89d2b6ff4072b5f17c8461d
Instruction Fuzzy Hash: 1711B271300208BFEF259E94DC85FFB376AFB983A4F104229F91897290D6799D918760

Function 007B3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0072600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0072604C
Part of subcall function 0072600E: GetStockObject.GDI32(00000011), ref: 00726060
Part of subcall function 0072600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0072606A

GetWindowRect.USER32(00000000,?), ref: 007B377A
GetSysColor.USER32(00000012), ref: 007B3794

Strings

static, xrefs: 007B3757

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: c7d2cae3b1116aa3195f9359742688ae1e5c96f4fae1f63c1e6b07eb99864063
Instruction ID: 2926aef9d1c669d1f57d8b3744c2828b5da622b038706c2eaa1bb29fc6a2609e
Opcode Fuzzy Hash: c7d2cae3b1116aa3195f9359742688ae1e5c96f4fae1f63c1e6b07eb99864063
Instruction Fuzzy Hash: 5211F9B2610209AFDB11DFA8CC85EEA7BB8EB08354F004615F955E2250EB79E951DB60

Function 0079CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0079CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0079CDA6

Strings

<local>, xrefs: 0079CD66

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a54787a744208ea03bce6c94e93563a3e22266ff71f40eaf53bad0b08b4c7457
Instruction ID: 1b1ec05346a44dd2b8dfd53237e0cf9ed170068399bb6b8def3b17b4e163937a
Opcode Fuzzy Hash: a54787a744208ea03bce6c94e93563a3e22266ff71f40eaf53bad0b08b4c7457
Instruction Fuzzy Hash: 2011C6B13056317ADF364B669C45FE7BE6CEF127A4F004226B10983180D7789840D6F0

Function 007B3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007B34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007B34BA

Strings

edit, xrefs: 007B348F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b5bcf51df38a912620dd46687b906de384983148e502c9a362b162cac87d0c1b
Instruction ID: bd244817eadfa286620ad524a41890cdffed755868fa38f95595db6804532afb
Opcode Fuzzy Hash: b5bcf51df38a912620dd46687b906de384983148e502c9a362b162cac87d0c1b
Instruction Fuzzy Hash: 70116A71100248ABEB228E68DC44FFB376AEF05378F508324F961931E0C779EC919B64

Function 00786C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

CharUpperBuffW.USER32(?,?,?), ref: 00786CB6
_wcslen.LIBCMT ref: 00786CC2

Strings

STOP, xrefs: 00786CBC, 00786CC1

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 20142a1e2ec4ad60d8ff9a3a08c3f7e78cf7b4da2890b8fdd8d1d51b24e1bb03
Instruction ID: b969016fa957827d7e8f3078b4cbc522195c5ad6a3fb82e4a3064a10a82fac43
Opcode Fuzzy Hash: 20142a1e2ec4ad60d8ff9a3a08c3f7e78cf7b4da2890b8fdd8d1d51b24e1bb03
Instruction Fuzzy Hash: F9010032A4052AABCB21BFBDDC949BF77A5FB60710B000538E86292190EB39E800C760

Function 00781CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00781D4C

Strings

ListBox, xrefs: 00781D16
ComboBox, xrefs: 00781CEB

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 161ca6fffa63825b558d98d2568765d7c123a1784ecce298248467859a1f5c93
Instruction ID: 4d4dc8ec4b44d969c5628e5de7d7971774a065ef9df2726ef069f77ff2ca60e4
Opcode Fuzzy Hash: 161ca6fffa63825b558d98d2568765d7c123a1784ecce298248467859a1f5c93
Instruction Fuzzy Hash: 3801D8B5741228EBCB04FBA4DC55DFE7368FB46350F480A19F932572C1EA3859098770

Function 00781BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00781C46

Strings

ListBox, xrefs: 00781C10
ComboBox, xrefs: 00781BE5

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bca2506a6fef62ee365ee06c868b932e2ca9eaa674061ebe705756190de71c1b
Instruction ID: fc2d17174ebaa03750be76d8eb7324111ebc850c49c6770744b729f2dca632a2
Opcode Fuzzy Hash: bca2506a6fef62ee365ee06c868b932e2ca9eaa674061ebe705756190de71c1b
Instruction Fuzzy Hash: D401A7B5AC1118A7CB04FBA0D965EFF77ACAB15340F580019A516672C1EA2C9E0987B1

Function 00781C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00781CC8

Strings

ListBox, xrefs: 00781C94
ComboBox, xrefs: 00781C69

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8ce9258bf5f7b32aad29574a8a158f6b951eeed2efeeb5d7e614ba587850c6d9
Instruction ID: 063238590a530f9cfc02d3afc24b3aa02773578dfac9f4720557b726525c5b63
Opcode Fuzzy Hash: 8ce9258bf5f7b32aad29574a8a158f6b951eeed2efeeb5d7e614ba587850c6d9
Instruction Fuzzy Hash: BF01D6B5AC1118A7CB04FBA5DA19EFE73ACAB15340F580015B90273281EA6C9F09C771

Function 00781D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729CB3: _wcslen.LIBCMT ref: 00729CBD

Part of subcall function 00783CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00783CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00781DD3

Strings

ListBox, xrefs: 00781DA0
ComboBox, xrefs: 00781D75

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bd1ad48fc9714459a0ae77f6ddf84c02413446c47aed83c2cd8c0d39d502cc27
Instruction ID: d4cb6907b9b3496b01b7cbd79a2039270c3fbd3954b61771d6b5b0b08305734a
Opcode Fuzzy Hash: bd1ad48fc9714459a0ae77f6ddf84c02413446c47aed83c2cd8c0d39d502cc27
Instruction Fuzzy Hash: 8CF0C8B1B81228A7DB04F7A5DC5AFFF777CAB05754F480915B922632C1DA6C59098370

Function 007A747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007A7493
_wcslen.LIBCMT ref: 007A74B9

Strings

3, 3, 16, 1, xrefs: 007A7483

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a7b9e23e957fc07e3bec5d1d1dee5668ce522abdfccebb166a62eb62054898e6
Instruction ID: 66779682df508f6efc18fa8acb135604eab242dcd9c32330c14e88c0510ed36f
Opcode Fuzzy Hash: a7b9e23e957fc07e3bec5d1d1dee5668ce522abdfccebb166a62eb62054898e6
Instruction Fuzzy Hash: A7E02B422152A0609239127A9CC5A7F578DCFCE750710182BF981C2266EF9C9D92F3A0

Function 00780B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00780B23

Strings

Error allocating memory., xrefs: 00780B1C
AutoIt, xrefs: 00780B17

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: a43bc8ea1ddeed213830455d93689d5bd5b691c2a8ccd35c53adbaff780bbaa3
Instruction ID: 6959e455d176576df24dea58979a2d028db28cd5ddde753ff2311f6939b94f1b
Opcode Fuzzy Hash: a43bc8ea1ddeed213830455d93689d5bd5b691c2a8ccd35c53adbaff780bbaa3
Instruction Fuzzy Hash: 73E0D83228435867E2113A947C0BFC97A848F05B50F104426FB88955C38AE9245006E9

Function 00740D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0073F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00740D71,?,?,?,0072100A), ref: 0073F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0072100A), ref: 00740D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0072100A), ref: 00740D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00740D7F

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 7a68bbf1384b3b8a131c0f7aade807d6147a93a6811f88886caf826dc363ef88
Instruction ID: 40ef9b280587a17539714d5312029feb60803f18bce35783139af0a8d33484a0
Opcode Fuzzy Hash: 7a68bbf1384b3b8a131c0f7aade807d6147a93a6811f88886caf826dc363ef88
Instruction Fuzzy Hash: B9E0ED746007518BE3719FB8E8087967BE4BF04B54F008A3DE596C6652DBBDE4488FE1

Function 00793017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0079302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00793044

Strings

aut, xrefs: 00793038

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 1f09ba9db54d84f8946620b8245cc9294a433c254dd25c8da8e4d4cbc30215b2
Instruction ID: c3b75de0b8188759e984b7a207906f686e902672149f3bb78f1ffece9b310121
Opcode Fuzzy Hash: 1f09ba9db54d84f8946620b8245cc9294a433c254dd25c8da8e4d4cbc30215b2
Instruction Fuzzy Hash: 33D05B7150031467DA2097959C0DFC73A6CD704750F0042617755D6091DAB49544CBD4

Function 0077D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0077D220

Strings

%.3d, xrefs: 0077D22B
X64, xrefs: 0077D2A8

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 2fa27b7e9a65a55e18a0bcbdaec15adac3f7e814071d984441ab3d5c371ea107
Instruction ID: bed421b7b75e583542f5dcade055a2c1f0ece9a3d9ebe7610bc5028aa37d6fce
Opcode Fuzzy Hash: 2fa27b7e9a65a55e18a0bcbdaec15adac3f7e814071d984441ab3d5c371ea107
Instruction Fuzzy Hash: C6D012A1C09148EACFA096E0DC499B9B37CBF08381F50C452F90AA1042D62CCD09A761

Function 007B2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007B236C
PostMessageW.USER32(00000000), ref: 007B2373

Part of subcall function 0078E97B: Sleep.KERNEL32 ref: 0078E9F3

Strings

Shell_TrayWnd, xrefs: 007B2365

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ad9908b58192e87d651d21d311377e1bc651d16c4f80b9b24b137ba46ed7451a
Instruction ID: 5dd6c4b1114c12fc4cd5f4a135a6f83f703196e797b37db45223f20ad0518175
Opcode Fuzzy Hash: ad9908b58192e87d651d21d311377e1bc651d16c4f80b9b24b137ba46ed7451a
Instruction Fuzzy Hash: 58D0A9323C1300BAE264B7309C0FFC666049B08B00F008A12B281AA0D0C9E8B8008A08

Function 007B2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007B232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007B233F

Part of subcall function 0078E97B: Sleep.KERNEL32 ref: 0078E9F3

Strings

Shell_TrayWnd, xrefs: 007B2325

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 03d920eee45f1765bcafed557b5ae82e1dcf56eadd547f7a231cd717897f7aa2
Instruction ID: a469ee752c16e9438029dfdc81535cf276c31cc87aaf6b1dcd345a4333a0968d
Opcode Fuzzy Hash: 03d920eee45f1765bcafed557b5ae82e1dcf56eadd547f7a231cd717897f7aa2
Instruction Fuzzy Hash: 4ED0A9323C0300B6E264B7309C0FFD66A049B04B00F008A12B285AA0D0C9E8A8008A08

Function 0075BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0075BE93
GetLastError.KERNEL32 ref: 0075BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0075BEFC

Memory Dump Source

Source File: 00000000.00000002.1738502379.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1738470817.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007BC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738604940.00000000007E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738684434.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1738716206.00000000007F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ea5c7e8bd65d8033719a766e5f930227383a8fa4938b98b574438eb1a817a70d
Instruction ID: da8c15be35e9f91fa720c486fd7a834b7af431cf0fe6d775782707d7371ea42d
Opcode Fuzzy Hash: ea5c7e8bd65d8033719a766e5f930227383a8fa4938b98b574438eb1a817a70d
Instruction Fuzzy Hash: 7D41F535600246EFCF218FA4CC89AFABBA4EF41312F144169FD59971E1DBB88D09CB61

Analysis Process: firefox.exePID: 7500, Parent PID: 3084COMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0000027141982AF2 Relevance: 26.1, APIs: 1, Strings: 10, Instructions: 6826nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0000027141982B57

Strings

>, xrefs: 0000027141986BFF
>, xrefs: 000002714198395C
#, xrefs: 0000027141980EC5
A, xrefs: 0000027141982B4F
>, xrefs: 0000027141982BB9
#, xrefs: 0000027141982B82
#, xrefs: 0000027141983C31
4, xrefs: 0000027141986BD9
z, xrefs: 0000027141982B8B
z, xrefs: 0000027141984136

Memory Dump Source

Source File: 00000010.00000002.3538033412.0000027141980000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000027141980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_27141980000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID: #$#$#$4$>$>$>$A$z$z
API String ID: 3562636166-3072146587
Opcode ID: 4791d340b90b83b9e582c1117ab7709437205e4863388a97698239cfbe9a5427
Instruction ID: 675b460d81d321fd9f0a2e369f5a6f989a68defa339c34524fa7456561c0e800
Opcode Fuzzy Hash: 4791d340b90b83b9e582c1117ab7709437205e4863388a97698239cfbe9a5427
Instruction Fuzzy Hash: 09A3D431628A498BDB2DDF2CDC956A973E6FF94700F14422EDC4AD7251DE34EA128BC1

Function 00000271411D5841 Relevance: .1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.3533240356.00000271411D5000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000271411D5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_271411d5000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d05b53faa3825b068b7400d804e4cc8dc1a031b48f102551412df13279341055
Instruction ID: 22f271e251ef13ec5d40947f19deb033a73a5bdb51042b76a4bc407c3a9f9f5f
Opcode Fuzzy Hash: d05b53faa3825b068b7400d804e4cc8dc1a031b48f102551412df13279341055
Instruction Fuzzy Hash: 5521843161CB8C4FD746EF28C854A56BBF1FB99310F1506AFE09AC3292DB34D9458792

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1893340054.000001F1AABD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1893340054.000001F1AABD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1893340054.000001F1AABD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1893340054.000001F1AABD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1893340054.000001F1AABD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1789372936.000001F1A6826000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1789867930.000001F1A6830000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1788890710.000001F1A6824000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1894400931.000001F1A9944000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899532228.000001F1A994A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1894400931.000001F1A99E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899532228.000001F1A99E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1905942117.000001F1A0074000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905942117.000001F1A003D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909128200.000001F19FEE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1905942117.000001F1A0074000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905942117.000001F1A003D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909128200.000001F19FEE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1905942117.000001F1A006A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894400931.000001F1A9944000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899532228.000001F1A994A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1894400931.000001F1A99E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899532228.000001F1A99E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1915828847.000001F19F628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1915828847.000001F19F628000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1905942117.000001F1A0074000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905942117.000001F1A003D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909128200.000001F19FEE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1905942117.000001F1A0074000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1905942117.000001F1A003D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909128200.000001F19FEE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3534226431.000002714130A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3532448098.000002A2F5D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3534226431.000002714130A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3532448098.000002A2F5D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3534226431.000002714130A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3532448098.000002A2F5D0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1898039726.0000111244503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: m+www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1899532228.000001F1A996B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894400931.000001F1A996B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1905942117.000001F1A006A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894400931.000001F1A9944000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899532228.000001F1A994A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1898039726.0000111244503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1894400931.000001F1A99E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898039726.0000111244503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1899532228.000001F1A99E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1878474123.000001F1A9C1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1898039726.0000111244503000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1905942117.000001F1A0060000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: dualstack.reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49802 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_df742fd1-5d4b-461c-a35d-f7640dc3f772.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_df742fd1-5d4b-461c-a35d-f7640dc3f772.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\18CX51L3HYLNCBJ0DXHU.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\73UER8CAKXBLFX5X1DQF.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre