Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545792
MD5:	df53e224b7ec467a1ac0728fca54456d
SHA1:	3e9a3ded74a890ce8a5045297759b5a380b0bc2e
SHA256:	c0c74c1e71d23d484bfd9d6b6cd3f5baced40cbe19345991e9f1981bd20edf8c
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 5856 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DF53E224B7EC467A1AC0728FCA54456D)

taskkill.exe (PID: 5812 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3736 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1804 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2080 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6852 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 5800 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6904 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 2148 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7188 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91cd4a2b-72b0-4e46-bfad-91a36ec11847} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1973756fd10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7868 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4164 -parentBuildID 20230927232528 -prefsHandle 3300 -prefMapHandle 3412 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25bbe570-7f0f-4b01-9f5a-d7672c0a84e6} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1973757b310 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7844 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5416 -prefMapHandle 5392 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8190c53c-95ea-4747-9d7c-b5fd9e2e76dd} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 19748c49d10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1733327729.0000000001596000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
00000000.00000003.1733215318.000000000158F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 5856	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0058EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0058EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0058ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0058ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0058EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0057AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0057AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_005A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1673356747.00000000005D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_452fa0cc-4
Source: file.exe, 00000000.00000000.1673356747.00000000005D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_408f615f-d
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_46802913-d
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d914a6f3-7

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001E4D9C3B4F7 NtQuerySystemInformation,		16_2_000001E4D9C3B4F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001E4D9C56132 NtQuerySystemInformation,		16_2_000001E4D9C56132

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0057D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0057D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00571201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00571201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0057E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0057E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051BF40	0_2_0051BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00582046	0_2_00582046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00518060	0_2_00518060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00578298	0_2_00578298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054E4FF	0_2_0054E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054676B	0_2_0054676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4873	0_2_005A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051CAF0	0_2_0051CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053CAA0	0_2_0053CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052CC39	0_2_0052CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00546DD9	0_2_00546DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052B119	0_2_0052B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005191C0	0_2_005191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00531394	0_2_00531394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00531706	0_2_00531706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053781B	0_2_0053781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052997D	0_2_0052997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00517920	0_2_00517920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005319B0	0_2_005319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00537A4A	0_2_00537A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00531C77	0_2_00531C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00537CA7	0_2_00537CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059BE44	0_2_0059BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00549EEE	0_2_00549EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00531F32	0_2_00531F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001E4D9C3B4F7	16_2_000001E4D9C3B4F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001E4D9C56132	16_2_000001E4D9C56132
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001E4D9C56172	16_2_000001E4D9C56172
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001E4D9C5685C	16_2_000001E4D9C5685C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0052F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00530A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@72/13

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005837B5 GetLastError,FormatMessageW,

0_2_005837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005710BF AdjustTokenPrivileges,CloseHandle,		0_2_005710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0057D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0057D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0058648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0058648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1881314908.0000019753736000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874153703.0000019753736000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1859477929.000001975347D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;

Source: file.exe	ReversingLabs: Detection: 47%
Source: file.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91cd4a2b-72b0-4e46-bfad-91a36ec11847} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1973756fd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4164 -parentBuildID 20230927232528 -prefsHandle 3300 -prefMapHandle 3412 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25bbe570-7f0f-4b01-9f5a-d7672c0a84e6} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1973757b310 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5416 -prefMapHandle 5392 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8190c53c-95ea-4747-9d7c-b5fd9e2e76dd} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 19748c49d10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91cd4a2b-72b0-4e46-bfad-91a36ec11847} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1973756fd10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4164 -parentBuildID 20230927232528 -prefsHandle 3300 -prefMapHandle 3412 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25bbe570-7f0f-4b01-9f5a-d7672c0a84e6} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1973757b310 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5416 -prefMapHandle 5392 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8190c53c-95ea-4747-9d7c-b5fd9e2e76dd} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 19748c49d10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1798977908.0000019753BC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1824102283.0000019746CA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1824102283.0000019746CA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1823956236.0000019746CA7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1798977908.0000019753BC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1823956236.0000019746CA7000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005142DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00530A76 push ecx; ret

0_2_00530A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0052F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_005A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96274

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001E4D9C3B4F7 rdtsc

16_2_000001E4D9C3B4F7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0057DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0057DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005868EE FindFirstFileW,FindClose,	0_2_005868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0058698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0057D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0057D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0057D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0057D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00589642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00589642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0058979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00589B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00589B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00585C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00585C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005142DE

Source: firefox.exe, 00000010.00000002.2930904044.000001E4DA120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3y
Source: firefox.exe, 0000000F.00000002.2927434419.000001C8BE88A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2927434419.000001C8BE8B6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2926514302.000001E4D991A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2930904044.000001E4DA120000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2930714337.0000018C0B1F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.2930531836.000001C8BED1D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.2930904044.000001E4DA120000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQn
Source: firefox.exe, 00000011.00000002.2926465805.0000018C0ACFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW03
Source: firefox.exe, 0000000F.00000002.2931396971.000001C8BF140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001E4D9C3B4F7 rdtsc

16_2_000001E4D9C3B4F7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0058EAA2 BlockInput,

0_2_0058EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00542622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00542622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00534CE8 mov eax, dword ptr fs:[00000030h]

0_2_00534CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00570B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00570B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00542622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00542622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0053083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005309D5 SetUnhandledExceptionFilter,	0_2_005309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00530C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00530C21

Source: C:\Users\user\Desktop\file.exe

0_2_00571201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00552BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00552BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0057B226 SendInput,keybd_event,

0_2_0057B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00570B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00571663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00571663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000D.00000003.1799836436.0000019753BC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00530698 cpuid

0_2_00530698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00588195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00588195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0056D27A GetUserNameW,

0_2_0056D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0054BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0054BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1733327729.0000000001596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733215318.000000000158F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5856, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1733327729.0000000001596000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733215318.000000000158F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5856, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00591204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00591204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00591806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00591806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	42%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
twitter.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggestabout	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://poczta.interia.pl/mh/?mailto=%s	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	0%	URL Reputation	safe
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	0%	URL Reputation	safe
https://watch.sling.com/	0%	URL Reputation	safe
https://getpocket.com/firefox/new_tab_learn_more/	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0%	URL Reputation	safe
https://getpocket.com/recommendations	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.0.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false		unknown
twitter.com	104.244.42.193	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false		unknown
services.addons.mozilla.org	151.101.193.91	true	false		unknown
dyna.wikimedia.org	185.15.59.224	true	false		unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false		unknown
contile.services.mozilla.com	34.117.188.166	true	false		unknown
youtube.com	142.250.186.142	true	false		unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false		unknown
youtube-ui.l.google.com	142.250.184.238	true	false		unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false		unknown
reddit.map.fastly.net	151.101.1.140	true	false		unknown
ipv4only.arpa	192.0.0.170	true	false		unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false		unknown
push.services.mozilla.com	34.107.243.93	true	false		unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false		unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false		unknown
www.reddit.com	unknown	unknown	false		unknown
spocs.getpocket.com	unknown	unknown	false		unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false		unknown
support.mozilla.org	unknown	unknown	false		unknown
firefox.settings.services.mozilla.com	unknown	unknown	false		unknown
www.youtube.com	unknown	unknown	false		unknown
www.facebook.com	unknown	unknown	false		unknown
detectportal.firefox.com	unknown	unknown	false		unknown
normandy.cdn.mozilla.net	unknown	unknown	false		unknown
shavar.services.mozilla.com	unknown	unknown	false		unknown
www.wikipedia.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://youtube.comZ	firefox.exe, 0000000D.00000003.1896815041.00002A5696903000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1886521162.000001974F3B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866531992.000001974A9E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754838404.000001974F3B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2927625017.000001E4D9BC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2928047343.0000018C0B0C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://json-schema.org/draft-06/schema#http://json-schema.org/draft-07/schema#Instance	firefox.exe, 0000000D.00000003.1763237210.0000019748487000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1906180766.0000019753736000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881314908.0000019753736000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874153703.0000019753736000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.2928075364.000001C8BEBE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2927625017.000001E4D9BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2930954970.0000018C0B303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1756283292.000001974F570000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758809817.000001974F57D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758213819.000001974F57E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000011.00000002.2928047343.0000018C0B08F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1861686724.000001974F4C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1874383754.000001975369C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1870599220.0000019749CF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1718066974.000001974705A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1716864713.0000019746E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1717899903.000001974703C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1718919476.0000019747077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1717567318.000001974701F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1907825391.0000019750E5B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1858364325.00000197537E5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1910931353.0000019749569000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1755457726.0000019749559000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1718066974.000001974705A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1716864713.0000019746E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1717899903.000001974703C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834284234.000001974F5F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1718919476.0000019747077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1717567318.000001974701F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1867184779.000001974A97C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914688636.000001974A97C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1718066974.000001974705A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1716864713.0000019746E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1717899903.000001974703C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1718919476.0000019747077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1717567318.000001974701F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1866531992.000001974A9A7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.2928075364.000001C8BEBE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2927625017.000001E4D9BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2930954970.0000018C0B303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1858120289.0000019753934000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1910931353.0000019749569000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1755457726.0000019749559000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.2928075364.000001C8BEBE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2927625017.000001E4D9BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2930954970.0000018C0B303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1858120289.0000019753934000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2927625017.000001E4D9B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2928047343.0000018C0B00C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1785029457.0000019747C33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1861686724.000001974F48E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1866531992.000001974A9E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754838404.000001974F3B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2927625017.000001E4D9BC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2928047343.0000018C0B0C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1833041659.00000197491A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1907825391.0000019750EA6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1755457726.0000019749559000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1886521162.000001974F3B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754838404.000001974F3B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2927625017.000001E4D9B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2928047343.0000018C0B013000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 0000000F.00000002.2928075364.000001C8BEB72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2927625017.000001E4D9B86000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1763237210.0000019748474000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1833041659.000001974919B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1909525355.0000019749C3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1862001486.000001974F476000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754764503.000001974F42A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823314899.0000019749828000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1727969186.00000197476BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1827613805.000001974A84A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754498696.000001974F48F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1828633988.00000197476F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758356128.000001974F560000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1833041659.000001974919F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1725678811.0000019748345000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1786250610.000001974982D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1754838404.000001974F387000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867184779.000001974A933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779430520.000001974F8B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913421457.00000197476D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1870599220.0000019749C18000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1891844313.00000197476D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1722743476.0000019747068000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1823216259.0000019749840000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1867184779.000001974A97C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914688636.000001974A97C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1867184779.000001974A97C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1914688636.000001974A97C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1910516486.0000019749B91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1858534517.0000019753757000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1858534517.0000019753757000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1763237210.0000019748474000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1756283292.000001974F570000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758809817.000001974F57D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758213819.000001974F57E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1763352198.0000019748467000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1763237210.0000019748487000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1910931353.0000019749569000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1755457726.0000019749559000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1763352198.0000019748467000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1723376980.000001974501F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1722958822.0000019745033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1723559860.0000019745033000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1860421079.0000019750FE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1883552682.0000019750FE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906406461.0000019750FE7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1785992749.0000019747C3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1785029457.0000019747C33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1723376980.000001974501F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1722958822.0000019745033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1723559860.0000019745033000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.2928075364.000001C8BEBE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2927625017.000001E4D9BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2930954970.0000018C0B303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1902986748.0000019752FD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1717567318.000001974701F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1861686724.000001974F4C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1717899903.000001974703C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1834284234.000001974F5F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1718919476.0000019747077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1717567318.000001974701F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.2927758383.000001C8BE990000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2927168921.000001E4D99B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2930291123.0000018C0B100000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1858120289.0000019753934000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.olx.pl/	firefox.exe, 0000000D.00000003.1910516486.0000019749B91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1785992749.0000019747C3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1785029457.0000019747C33000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://poczta.interia.pl/mh/?mailto=%s	firefox.exe, 0000000D.00000003.1723376980.000001974501F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1722958822.0000019745033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1723559860.0000019745033000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	firefox.exe, 0000000D.00000003.1755457726.0000019749559000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/search	firefox.exe, 0000000D.00000003.1861686724.000001974F4C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1757454877.000001974F5E2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	firefox.exe, 0000000D.00000003.1755457726.0000019749559000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://watch.sling.com/	firefox.exe, 0000000D.00000003.1912011322.00000197492C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://getpocket.com/firefox/new_tab_learn_more/	firefox.exe, 0000000D.00000003.1861686724.000001974F48E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	firefox.exe, 0000000F.00000002.2928075364.000001C8BEBE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2927625017.000001E4D9BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2930954970.0000018C0B303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://github.com/google/closure-compiler/issues/3177	firefox.exe, 0000000D.00000003.1756283292.000001974F570000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758809817.000001974F57D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1758213819.000001974F57E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.com/recommendations	firefox.exe, 0000000D.00000003.1866531992.000001974A9E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2927625017.000001E4D9BC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2928047343.0000018C0B0C4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts	firefox.exe, 0000000D.00000003.1758809817.000001974F56C000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.116.101	unknown	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.186.142	youtube.com	United States	15169	GOOGLEUS	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545792
Start date and time:	2024-10-31 01:42:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@72/13
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 54.185.230.140, 52.11.191.138, 35.160.212.113, 172.217.18.14, 2.22.61.59, 2.22.61.56, 172.217.18.10, 142.250.185.202
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:43:07	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	Paiement.eml	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	Arquivo_4593167.msi	Get hash	malicious	AteraAgent	Browse	199.232.210.172
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	V6QED2Q1WBYVOPE	Get hash	malicious	Unknown	Browse	151.101.67.6
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	142.251.116.101 35.244.181.201 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.251.116.101 35.244.181.201 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.251.116.101 35.244.181.201 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	142.251.116.101 35.244.181.201 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.251.116.101 35.244.181.201 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.251.116.101 35.244.181.201 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.251.116.101 35.244.181.201 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	142.251.116.101 35.244.181.201 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.251.116.101 35.244.181.201 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.251.116.101 35.244.181.201 151.101.193.91 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_559cd4d8-ed0c-425b-a9f8-980949088ac5.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.182706144045303
Encrypted:	false
SSDEEP:	192:9jMXQSNcbhbVbTbfbRbObtbyEl7nUNjJA6WnSrDtTUd/SkDrp:9Y1cNhnzFSJ0N6BnSrDhUd/f
MD5:	2FDE8CE8F093F021538044BEC3B5AA07
SHA1:	7CCAFDB3CB4C00E422E5908514AED334D2A323A3
SHA-256:	6045802AEDBE2902FFD8164F226E651F892AA7C5FE2F93919F6E4213EB8E3C5B
SHA-512:	E0779930E54276D3468E45EF2787942908C24142152343B9F18D44B93CEFA4AE35D4CC6903635299BC6BD4FD1143EA21ED2DA99941DF10ACBB7AC4BEA21A140E
Malicious:	false
Preview:	{"type":"uninstall","id":"559cd4d8-ed0c-425b-a9f8-980949088ac5","creationDate":"2024-10-31T02:36:05.286Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_559cd4d8-ed0c-425b-a9f8-980949088ac5.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.182706144045303
Encrypted:	false
SSDEEP:	192:9jMXQSNcbhbVbTbfbRbObtbyEl7nUNjJA6WnSrDtTUd/SkDrp:9Y1cNhnzFSJ0N6BnSrDhUd/f
MD5:	2FDE8CE8F093F021538044BEC3B5AA07
SHA1:	7CCAFDB3CB4C00E422E5908514AED334D2A323A3
SHA-256:	6045802AEDBE2902FFD8164F226E651F892AA7C5FE2F93919F6E4213EB8E3C5B
SHA-512:	E0779930E54276D3468E45EF2787942908C24142152343B9F18D44B93CEFA4AE35D4CC6903635299BC6BD4FD1143EA21ED2DA99941DF10ACBB7AC4BEA21A140E
Malicious:	false
Preview:	{"type":"uninstall","id":"559cd4d8-ed0c-425b-a9f8-980949088ac5","creationDate":"2024-10-31T02:36:05.286Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927812697693978
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNech:8S+OfJQPUFpOdwNIOdYVjvYcXaNLko8P
MD5:	B518F6102F88EC69080D8B96495BB0B4
SHA1:	D313D11EF35226E071441BEBF57AC41844718729
SHA-256:	59B1C3A471DB717A0C99D6A6AF5CA1F46F677C34E7E69F24682938A7D3C92D52
SHA-512:	0D17CC3AB21DA168D7EEAED22F487935A49CA82DC9F81508FC3C0AA2C6E994C8702B06D617C46E88D93DD91BD02C31B761F01A1A3CEA4F4A68FFD99026A8A133
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.927812697693978
Encrypted:	false
SSDEEP:	48:YnSwkmrOfJNmPUFpOdwNIOdoWLEWLtkDLuuukx5FBvipA6kbbXjQthvLuhakNech:8S+OfJQPUFpOdwNIOdYVjvYcXaNLko8P
MD5:	B518F6102F88EC69080D8B96495BB0B4
SHA1:	D313D11EF35226E071441BEBF57AC41844718729
SHA-256:	59B1C3A471DB717A0C99D6A6AF5CA1F46F677C34E7E69F24682938A7D3C92D52
SHA-512:	0D17CC3AB21DA168D7EEAED22F487935A49CA82DC9F81508FC3C0AA2C6E994C8702B06D617C46E88D93DD91BD02C31B761F01A1A3CEA4F4A68FFD99026A8A133
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07338695179673393
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkifJo/:DLhesh7Owd4+jie
MD5:	69E94A1BAA2A1F7D2E8B95AA73A22400
SHA1:	7DD830A6D654500093D6F2E55376E1967B71B17D
SHA-256:	0011A86C896F56CE073AD67A9D04CB7B2CDFC790BE517E6C567D3BEBACC58199
SHA-512:	90041D6CF0215DF19EBFB5D64109ED7A05654CB82BED6BFAFFB3C37347AD5FB8BD572D820BBA100D8A5C195FADBCCF93CFBF6CE26E987D71ADABB1DBF05A024C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.032910916193608225
Encrypted:	false
SSDEEP:	3:GtlstFdn1fd5Ul2ojclY/tlstFdn1fd5Ul2ojc/tJ89//alEl:GtWtNitWtNv89XuM
MD5:	835C3EDC147D15C01601E8DCA01EA8DE
SHA1:	45589E78F7F73429D433EFEE803A5824745B55A3
SHA-256:	083BBDA3314DEF83E18C85EB55E00A1ACCD65CD2ACD7EDFD375F4B537FE5E450
SHA-512:	CD38396BD63E4DA6677F13A1A3DF7AD8BE770429765C6DC2D1B690D01961E1796730752BBDC73FD2D8D36114CD5397A6C44283FFC47CA50E311288D378DDF9A7
Malicious:	false
Preview:	..-.........................!..]u(... .@...G%.0..-.........................!..]u(... .@...G%.0........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03791666836379535
Encrypted:	false
SSDEEP:	3:Ol1gdlUlHTclyllfQM9lcaev/4wl8rEXsxdwhml8XW3R2:Kedloo4lw/rl8dMhm93w
MD5:	0C12EB8FAC1A5F4916556CA2DEC5ABD0
SHA1:	7C66069B520FD230EEF7922885A2C3A1D7F21DCD
SHA-256:	B5B930BCC677F3012BC846A62977B089E30EB7CD67589504EFCA489CA075DFA2
SHA-512:	91EEA80CC9AB9C9712257468A5FE972C16C2FA4FBCEBECCDCB66D4C294D19DAB1B51F6CD644521F280DD1C697CD21EC042B590425CFDF659FB2D931894E1F227
Malicious:	false
Preview:	7....-..........u(... .@}.+.v.#-........u(... .@....]..!................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.493807838639423
Encrypted:	false
SSDEEP:	192:AnaRtLYbBp6Ohj4qyaaXu6K1DNUL5RfGNBw8d2Sl:deYqySZGcwh0
MD5:	AE12041F25327835B2EBBC50C8138FD1
SHA1:	4801E18141FD3D2E6331129FD37BA3FD82C282AA
SHA-256:	A9F75D6402E071A2D24202DCE9515E7228A5293F616B4A8C5278A68DCAAF7BD2
SHA-512:	7128C0C0F9A0B58209543F50FBD135EA854AFD0A13EC6F78A0A89F139CE51D09D485A464B08A1340F68F2C7C1D1C887F33477620AF331D82D0117A5493460B3A
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730342135);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730342135);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730342135);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173034

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.493807838639423
Encrypted:	false
SSDEEP:	192:AnaRtLYbBp6Ohj4qyaaXu6K1DNUL5RfGNBw8d2Sl:deYqySZGcwh0
MD5:	AE12041F25327835B2EBBC50C8138FD1
SHA1:	4801E18141FD3D2E6331129FD37BA3FD82C282AA
SHA-256:	A9F75D6402E071A2D24202DCE9515E7228A5293F616B4A8C5278A68DCAAF7BD2
SHA-512:	7128C0C0F9A0B58209543F50FBD135EA854AFD0A13EC6F78A0A89F139CE51D09D485A464B08A1340F68F2C7C1D1C887F33477620AF331D82D0117A5493460B3A
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730342135);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730342135);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730342135);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173034

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.330594530209862
Encrypted:	false
SSDEEP:	24:v+USUGlcAxStJ2LXnIgt/pnxQwRlszT5sKts3eHVQj6TgRSamhujJlOsIomNVr0l:GUpOxwJ2/nR6G3eHTgRS4JlIquR4
MD5:	8D32123DEF9022ED8AE186F2E7F6357A
SHA1:	0E2CBFF77C64BD74D41664D63269FC3CA8D7798D
SHA-256:	A79F75C8C02645611FAFBE219F2D73BDBAFE30D0C9402AA88F8CF9632A7FC6E8
SHA-512:	7271A4791CB924C9ED35A20F0A498E00565EB99BDAA00863D01C6C95360E476AB8EE9367F3270ED74EC8CDEFB06A9BD6F111B48A76DC9D71CAEC8659F952650D
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8ea417fa-ac13-4af5-a5be-e17271f42b96}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730342140917,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P04962...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...11438,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.330594530209862
Encrypted:	false
SSDEEP:	24:v+USUGlcAxStJ2LXnIgt/pnxQwRlszT5sKts3eHVQj6TgRSamhujJlOsIomNVr0l:GUpOxwJ2/nR6G3eHTgRS4JlIquR4
MD5:	8D32123DEF9022ED8AE186F2E7F6357A
SHA1:	0E2CBFF77C64BD74D41664D63269FC3CA8D7798D
SHA-256:	A79F75C8C02645611FAFBE219F2D73BDBAFE30D0C9402AA88F8CF9632A7FC6E8
SHA-512:	7271A4791CB924C9ED35A20F0A498E00565EB99BDAA00863D01C6C95360E476AB8EE9367F3270ED74EC8CDEFB06A9BD6F111B48A76DC9D71CAEC8659F952650D
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8ea417fa-ac13-4af5-a5be-e17271f42b96}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730342140917,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P04962...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...11438,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.330594530209862
Encrypted:	false
SSDEEP:	24:v+USUGlcAxStJ2LXnIgt/pnxQwRlszT5sKts3eHVQj6TgRSamhujJlOsIomNVr0l:GUpOxwJ2/nR6G3eHTgRS4JlIquR4
MD5:	8D32123DEF9022ED8AE186F2E7F6357A
SHA1:	0E2CBFF77C64BD74D41664D63269FC3CA8D7798D
SHA-256:	A79F75C8C02645611FAFBE219F2D73BDBAFE30D0C9402AA88F8CF9632A7FC6E8
SHA-512:	7271A4791CB924C9ED35A20F0A498E00565EB99BDAA00863D01C6C95360E476AB8EE9367F3270ED74EC8CDEFB06A9BD6F111B48A76DC9D71CAEC8659F952650D
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{8ea417fa-ac13-4af5-a5be-e17271f42b96}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730342140917,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P04962...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...11438,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032659631479815
Encrypted:	false
SSDEEP:	48:YrSAYnB6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycByTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	9B3D61A3DBDB8BAF31D52CDAE2F0CD36
SHA1:	B273C7ABC832ADE2AD79480FD55DE4698656058D
SHA-256:	5DEE9ADA531F01538F94015F23C61C6C310C70EE00B84942A2EC7E4B89339797
SHA-512:	2D3F8F29024E8CAA0339A95CCFE864F5EF9A649D77B9A1AAF77607E1999875C4FE281ADBFAD8CF7CA4B48FA3AC0CC0875D43BB7D1F7FAAA5AF73FEF05D6BC8DF
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-31T02:35:19.032Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032659631479815
Encrypted:	false
SSDEEP:	48:YrSAYnB6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycByTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	9B3D61A3DBDB8BAF31D52CDAE2F0CD36
SHA1:	B273C7ABC832ADE2AD79480FD55DE4698656058D
SHA-256:	5DEE9ADA531F01538F94015F23C61C6C310C70EE00B84942A2EC7E4B89339797
SHA-512:	2D3F8F29024E8CAA0339A95CCFE864F5EF9A649D77B9A1AAF77607E1999875C4FE281ADBFAD8CF7CA4B48FA3AC0CC0875D43BB7D1F7FAAA5AF73FEF05D6BC8DF
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-31T02:35:19.032Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584668748342148
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	df53e224b7ec467a1ac0728fca54456d
SHA1:	3e9a3ded74a890ce8a5045297759b5a380b0bc2e
SHA256:	c0c74c1e71d23d484bfd9d6b6cd3f5baced40cbe19345991e9f1981bd20edf8c
SHA512:	1966dfcdbb317761f4340ec164215027ee59755507043219422b820575592e12bb2ffbc63e420076f769a210ff7033975dc53f757512e326489fa6c7102c3d9e
SSDEEP:	12288:bqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tw:bqDEvCTbMWu7rQYlBQcBiT6rprG8abw
TLSH:	10159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6722CF16 [Thu Oct 31 00:28:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FA16D0127D3h
jmp 00007FA16D0120DFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA16D0122BDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FA16D01228Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FA16D014E7Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FA16D014EC8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FA16D014EB1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	a2ca241dc775ca69aafae8ea32ce77cd	False	0.3156398338607595	data	5.373744839603535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 01:43:03.286571980 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:03.286657095 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 01:43:03.288136005 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:03.293433905 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:03.293467999 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 01:43:03.926662922 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 01:43:03.927556992 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:03.935276031 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:03.935297966 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 01:43:03.935405016 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:03.935585976 CET	443	49736	35.190.72.216	192.168.2.4
Oct 31, 2024 01:43:03.936353922 CET	49736	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:04.731066942 CET	49738	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:04.736450911 CET	80	49738	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:04.749006987 CET	49738	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:04.755084038 CET	49738	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:04.760072947 CET	80	49738	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:05.345262051 CET	80	49738	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:05.386864901 CET	49738	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:05.480443954 CET	49739	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:05.480519056 CET	443	49739	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:05.480649948 CET	49739	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:05.482007027 CET	49739	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:05.482040882 CET	443	49739	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:05.732505083 CET	49740	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:05.732601881 CET	443	49740	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:05.734606028 CET	49740	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:05.736406088 CET	49740	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:05.736442089 CET	443	49740	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:05.960278988 CET	49741	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:05.965378046 CET	80	49741	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:05.967418909 CET	49741	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:05.967562914 CET	49741	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:05.972444057 CET	80	49741	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:06.220783949 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.220810890 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:06.220869064 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.223359108 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.223376036 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:06.225326061 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.225380898 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:06.225567102 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.226902962 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.226922989 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:06.299083948 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:06.299159050 CET	443	49744	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:06.299601078 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:06.299762011 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:06.299791098 CET	443	49744	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:06.364378929 CET	443	49739	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:06.364644051 CET	49739	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:06.365472078 CET	443	49739	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:06.365694046 CET	49739	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:06.368865013 CET	49739	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:06.368885040 CET	443	49739	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:06.368974924 CET	49739	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:06.369149923 CET	443	49739	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:06.369326115 CET	49739	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:06.492587090 CET	49745	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:06.492635965 CET	443	49745	34.160.144.191	192.168.2.4
Oct 31, 2024 01:43:06.492805004 CET	49745	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:06.492981911 CET	49745	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:06.492999077 CET	443	49745	34.160.144.191	192.168.2.4
Oct 31, 2024 01:43:06.572468996 CET	80	49741	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:06.597507000 CET	443	49740	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:06.597729921 CET	49740	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:06.599268913 CET	443	49740	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:06.599958897 CET	49740	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:06.606026888 CET	49740	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:06.606046915 CET	443	49740	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:06.606136084 CET	49740	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:06.606308937 CET	443	49740	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:06.606453896 CET	49746	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:06.606497049 CET	443	49746	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:06.606551886 CET	49740	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:06.606808901 CET	49746	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:06.608292103 CET	49746	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:06.608320951 CET	443	49746	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:06.623209000 CET	49741	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:06.845588923 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:06.851345062 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:06.852124929 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.856153011 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.856158972 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:06.856224060 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.856404066 CET	443	49742	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:06.857508898 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:06.860440016 CET	49742	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.860578060 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.864377022 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.864393950 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:06.864485025 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.864633083 CET	443	49743	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:06.864818096 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.864841938 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:06.874677896 CET	49743	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.874870062 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.876112938 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:06.876127005 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:06.923758030 CET	443	49744	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:06.923935890 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:06.927045107 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:06.927066088 CET	443	49744	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:06.927501917 CET	443	49744	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:06.929944038 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:06.930054903 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:06.930131912 CET	443	49744	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:06.930697918 CET	49744	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:07.001195908 CET	49741	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:07.001341105 CET	49738	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:07.006526947 CET	80	49741	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:07.006652117 CET	49741	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:07.007015944 CET	80	49738	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:07.007064104 CET	49738	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:07.106508970 CET	443	49745	34.160.144.191	192.168.2.4
Oct 31, 2024 01:43:07.109087944 CET	49745	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.112720966 CET	49745	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.112740993 CET	443	49745	34.160.144.191	192.168.2.4
Oct 31, 2024 01:43:07.113106966 CET	443	49745	34.160.144.191	192.168.2.4
Oct 31, 2024 01:43:07.114797115 CET	49745	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.114912987 CET	49745	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.114972115 CET	443	49745	34.160.144.191	192.168.2.4
Oct 31, 2024 01:43:07.115298986 CET	49750	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.115354061 CET	443	49750	34.160.144.191	192.168.2.4
Oct 31, 2024 01:43:07.116692066 CET	49745	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.116708994 CET	49745	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.116739988 CET	49750	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.117024899 CET	49750	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.117042065 CET	443	49750	34.160.144.191	192.168.2.4
Oct 31, 2024 01:43:07.153568983 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:07.158904076 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:07.178107023 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:07.178574085 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:07.183399916 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:07.463623047 CET	443	49746	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:07.466120005 CET	443	49746	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:07.471338034 CET	443	49746	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:07.474244118 CET	49746	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:07.474272966 CET	49746	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:07.489648104 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:07.489665985 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:07.495304108 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:07.509460926 CET	49746	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:07.509526968 CET	443	49746	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:07.509568930 CET	49746	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:07.510040998 CET	443	49746	142.250.186.142	192.168.2.4
Oct 31, 2024 01:43:07.511547089 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:07.511554003 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:07.511609077 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:07.511946917 CET	443	49749	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:07.512701035 CET	49746	443	192.168.2.4	142.250.186.142
Oct 31, 2024 01:43:07.512705088 CET	49749	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:07.725337029 CET	443	49750	34.160.144.191	192.168.2.4
Oct 31, 2024 01:43:07.734813929 CET	49750	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.738096952 CET	49750	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.738143921 CET	443	49750	34.160.144.191	192.168.2.4
Oct 31, 2024 01:43:07.738569021 CET	443	49750	34.160.144.191	192.168.2.4
Oct 31, 2024 01:43:07.740629911 CET	49750	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.740701914 CET	49750	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.741015911 CET	443	49750	34.160.144.191	192.168.2.4
Oct 31, 2024 01:43:07.749676943 CET	49750	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.749676943 CET	49750	443	192.168.2.4	34.160.144.191
Oct 31, 2024 01:43:07.783927917 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:07.838406086 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:08.156816006 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:08.156858921 CET	443	49753	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:08.163846970 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:08.165290117 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:08.165307045 CET	443	49753	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:08.206552982 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:08.211424112 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:08.216625929 CET	49754	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:08.221519947 CET	80	49754	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:08.221580982 CET	49754	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:08.221698046 CET	49754	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:08.226526022 CET	80	49754	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:08.332854986 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:08.383688927 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:08.563478947 CET	49754	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:08.614002943 CET	80	49754	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:08.666847944 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:08.671967983 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:08.672136068 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:08.672416925 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:08.677463055 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:08.704127073 CET	80	49754	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:08.706762075 CET	49754	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:08.789891958 CET	443	49753	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:08.789908886 CET	443	49753	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:08.789974928 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:08.795561075 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:08.795572042 CET	443	49753	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:08.795676947 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:08.795799017 CET	443	49753	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:08.796103001 CET	49753	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:08.796171904 CET	49756	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:08.796257973 CET	443	49756	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:08.797419071 CET	49756	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:08.798738003 CET	49756	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:08.798774958 CET	443	49756	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:08.942703009 CET	49757	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:08.942789078 CET	443	49757	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:08.943058014 CET	49757	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:08.944430113 CET	49757	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:08.944463015 CET	443	49757	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:08.964740038 CET	49758	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:08.964772940 CET	443	49758	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:08.965111971 CET	49758	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:08.966432095 CET	49758	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:08.966454029 CET	443	49758	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:09.101958036 CET	49759	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:09.101984978 CET	443	49759	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:09.106473923 CET	49759	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:09.108400106 CET	49759	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:09.108413935 CET	443	49759	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:09.154915094 CET	49760	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:09.154970884 CET	443	49760	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:09.155090094 CET	49760	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:09.155299902 CET	49760	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:09.155339003 CET	443	49760	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:09.269602060 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:09.323529959 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:09.412786961 CET	443	49756	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:09.413079023 CET	49756	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:09.417377949 CET	49756	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:09.417406082 CET	443	49756	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:09.417493105 CET	49756	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:09.417684078 CET	443	49756	34.117.188.166	192.168.2.4
Oct 31, 2024 01:43:09.417747974 CET	49756	443	192.168.2.4	34.117.188.166
Oct 31, 2024 01:43:09.421612024 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:09.426450968 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:09.762481928 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:09.773099899 CET	443	49757	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:09.773602009 CET	443	49760	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:09.775686979 CET	49757	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:09.775799036 CET	49760	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:09.781953096 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:09.782776117 CET	443	49759	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:09.783587933 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:09.783601999 CET	49759	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:09.783823967 CET	443	49758	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:09.787154913 CET	49758	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:10.003629923 CET	49760	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:10.003679991 CET	443	49760	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:10.004523039 CET	443	49760	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:10.010128021 CET	49757	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:10.010158062 CET	443	49757	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:10.010823011 CET	443	49757	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:10.010868073 CET	49757	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:10.010885954 CET	443	49757	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:10.011284113 CET	49758	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:10.011328936 CET	443	49758	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:10.011358023 CET	49760	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:10.011430025 CET	49758	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:10.011506081 CET	49760	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:10.011792898 CET	443	49760	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:10.011873960 CET	443	49758	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:10.011890888 CET	49760	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:10.012284994 CET	49758	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:10.013667107 CET	49759	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:10.013695955 CET	443	49759	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:10.013771057 CET	49759	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:10.014210939 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:10.014261007 CET	443	49761	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:10.014262915 CET	443	49759	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:10.014549971 CET	49759	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:10.014573097 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:10.015887976 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:10.015906096 CET	443	49761	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:10.215358973 CET	443	49757	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:10.215444088 CET	49757	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:10.627856970 CET	443	49761	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:10.627935886 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:10.632875919 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:10.632885933 CET	443	49761	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:10.632965088 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:10.633147955 CET	443	49761	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:10.633193970 CET	49761	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:11.544599056 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:11.549397945 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:11.659171104 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:11.664093971 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:11.669164896 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:11.735591888 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:11.785599947 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:11.814609051 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:11.814655066 CET	443	49762	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:11.815043926 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:11.816884995 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:11.816910982 CET	443	49762	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:11.835892916 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:12.435606003 CET	443	49762	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:12.438076019 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:12.531387091 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:12.531415939 CET	443	49762	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:12.531522989 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:12.531908035 CET	443	49762	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:12.532004118 CET	49762	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:15.708729982 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:15.708781004 CET	443	49764	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:15.709165096 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:15.709264994 CET	443	49765	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:15.710123062 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:15.710213900 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:15.710285902 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:15.710294962 CET	443	49764	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:15.710438967 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:15.710470915 CET	443	49765	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:15.803190947 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:15.803221941 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:15.803760052 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:15.809139013 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:15.809540987 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:15.811031103 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:15.811048031 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:15.837053061 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:15.841945887 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:15.842163086 CET	49768	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:15.842196941 CET	443	49768	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:15.843605042 CET	49768	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:15.845407963 CET	49768	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:15.845423937 CET	443	49768	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:15.929071903 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:15.964945078 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:15.981475115 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:16.028337002 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:16.326556921 CET	443	49765	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:16.326638937 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:16.326729059 CET	443	49764	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:16.326807022 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:16.424956083 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:16.425050020 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:16.460845947 CET	443	49768	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:16.460937023 CET	49768	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.532299042 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.532376051 CET	443	49765	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.532421112 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:17.532804966 CET	443	49765	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.535053015 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.535085917 CET	443	49764	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.536084890 CET	443	49764	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.537226915 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:17.541100979 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.541197062 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.541342974 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.541372061 CET	443	49765	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.541404963 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.541627884 CET	443	49764	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.541887999 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:17.541907072 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:17.541922092 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:17.542146921 CET	443	49767	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:17.542249918 CET	49768	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.542269945 CET	443	49768	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.542315960 CET	49768	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.542551994 CET	443	49768	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.544325113 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.544338942 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.544377089 CET	49764	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.544379950 CET	49765	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.548263073 CET	49767	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:17.548281908 CET	49768	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.555979967 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:17.559103012 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.559154034 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.559665918 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.559803963 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.559819937 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.560832977 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:17.562439919 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.562472105 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.562850952 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.562972069 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.562988043 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.564811945 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.564838886 CET	443	49773	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.565001011 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.566348076 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:17.566359997 CET	443	49773	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:17.657666922 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:17.697981119 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:18.033806086 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:18.034132957 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:18.034188986 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:18.045025110 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:18.045056105 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:18.176079988 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:18.176279068 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.179297924 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.179320097 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:18.179516077 CET	443	49773	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:18.180324078 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:18.180715084 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.184304953 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.184397936 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.184719086 CET	443	49771	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:18.185111046 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.185116053 CET	443	49773	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:18.185177088 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.185302973 CET	49771	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.185302019 CET	443	49773	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:18.185482025 CET	49773	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.186669111 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:18.186748981 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.189380884 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.189393997 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:18.189711094 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:18.191828012 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.191828012 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.192030907 CET	443	49772	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:18.197516918 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.197516918 CET	49772	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:18.425421953 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:18.430335045 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:18.549930096 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:18.600589991 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:20.296917915 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:20.299069881 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:20.299113035 CET	443	49776	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:20.299316883 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:20.300765038 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:20.300777912 CET	443	49776	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:20.301856995 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:20.302417994 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:20.302426100 CET	443	49777	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:20.302521944 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:20.303850889 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:20.303864956 CET	443	49777	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:20.424052954 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:20.483848095 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:20.916753054 CET	443	49776	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:20.916848898 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:20.922147989 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:20.922158003 CET	443	49776	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:20.922230959 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:20.922445059 CET	443	49776	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:20.922513008 CET	49776	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:20.926785946 CET	443	49777	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:20.929259062 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:20.933212996 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:20.933218002 CET	443	49777	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:20.933288097 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:20.933516026 CET	443	49777	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:20.933562040 CET	49777	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:21.697709084 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:21.698784113 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:21.702606916 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:21.703676939 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:21.725698948 CET	49778	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:21.725781918 CET	443	49778	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:21.727842093 CET	49778	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:21.729186058 CET	49778	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:21.729223013 CET	443	49778	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:21.822144032 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:21.824934006 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:21.872251987 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:21.872261047 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:21.917046070 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:21.921916962 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:22.041520119 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:22.088444948 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:22.340014935 CET	443	49778	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:22.340106964 CET	49778	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:22.345312119 CET	49778	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:22.345340014 CET	443	49778	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:22.345426083 CET	49778	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:22.345546007 CET	443	49778	34.120.208.123	192.168.2.4
Oct 31, 2024 01:43:22.347676039 CET	49778	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:43:22.348197937 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:22.353040934 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:22.474431038 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:22.477497101 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:22.482455969 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:22.527380943 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:22.602087021 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:22.658905983 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:31.055969000 CET	49779	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:31.056018114 CET	443	49779	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:31.056298971 CET	49779	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:31.057679892 CET	49779	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:31.057699919 CET	443	49779	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:31.672646999 CET	443	49779	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:31.672897100 CET	49779	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:31.677578926 CET	49779	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:31.677593946 CET	443	49779	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:31.677676916 CET	49779	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:31.678014040 CET	443	49779	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:31.679310083 CET	49779	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:31.681210995 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:31.686207056 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:31.808176041 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:31.821487904 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:31.821561098 CET	443	49780	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:31.823365927 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:31.823515892 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:31.823535919 CET	443	49780	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:31.824538946 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:31.827209949 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:31.827239990 CET	443	49781	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:31.828990936 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:31.829080105 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:31.829090118 CET	443	49781	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:31.829334021 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:31.837903976 CET	49782	443	192.168.2.4	151.101.193.91
Oct 31, 2024 01:43:31.837973118 CET	443	49782	151.101.193.91	192.168.2.4
Oct 31, 2024 01:43:31.850826025 CET	49782	443	192.168.2.4	151.101.193.91
Oct 31, 2024 01:43:31.850919962 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:31.851095915 CET	49782	443	192.168.2.4	151.101.193.91
Oct 31, 2024 01:43:31.851120949 CET	443	49782	151.101.193.91	192.168.2.4
Oct 31, 2024 01:43:31.948792934 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:31.969131947 CET	49783	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:31.969189882 CET	443	49783	35.190.72.216	192.168.2.4
Oct 31, 2024 01:43:31.970268965 CET	49783	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:31.971693993 CET	49783	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:31.971712112 CET	443	49783	35.190.72.216	192.168.2.4
Oct 31, 2024 01:43:31.989078045 CET	49784	443	192.168.2.4	35.201.103.21
Oct 31, 2024 01:43:31.989114046 CET	443	49784	35.201.103.21	192.168.2.4
Oct 31, 2024 01:43:31.989207029 CET	49784	443	192.168.2.4	35.201.103.21
Oct 31, 2024 01:43:31.992551088 CET	49784	443	192.168.2.4	35.201.103.21
Oct 31, 2024 01:43:31.992573023 CET	443	49784	35.201.103.21	192.168.2.4
Oct 31, 2024 01:43:32.003459930 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:32.438750982 CET	443	49781	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:32.438822985 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:32.440182924 CET	443	49780	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:32.442122936 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:32.442137957 CET	443	49781	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:32.442312002 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.442461967 CET	443	49781	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:32.445178986 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.445210934 CET	443	49780	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:32.445600986 CET	443	49780	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:32.448431015 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:32.448524952 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:32.448610067 CET	443	49781	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:32.448748112 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.448796988 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.448956013 CET	49781	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:32.448976040 CET	443	49780	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:32.449109077 CET	49780	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.452764988 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:32.457616091 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:32.475087881 CET	443	49782	151.101.193.91	192.168.2.4
Oct 31, 2024 01:43:32.475135088 CET	443	49782	151.101.193.91	192.168.2.4
Oct 31, 2024 01:43:32.475202084 CET	49782	443	192.168.2.4	151.101.193.91
Oct 31, 2024 01:43:32.478245020 CET	49782	443	192.168.2.4	151.101.193.91
Oct 31, 2024 01:43:32.478257895 CET	443	49782	151.101.193.91	192.168.2.4
Oct 31, 2024 01:43:32.478755951 CET	443	49782	151.101.193.91	192.168.2.4
Oct 31, 2024 01:43:32.480918884 CET	49782	443	192.168.2.4	151.101.193.91
Oct 31, 2024 01:43:32.480993986 CET	49782	443	192.168.2.4	151.101.193.91
Oct 31, 2024 01:43:32.481120110 CET	443	49782	151.101.193.91	192.168.2.4
Oct 31, 2024 01:43:32.483143091 CET	49782	443	192.168.2.4	151.101.193.91
Oct 31, 2024 01:43:32.488559961 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.488596916 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:32.488955975 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.489101887 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.489110947 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:32.490788937 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.490819931 CET	443	49786	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:32.491094112 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.491192102 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.491203070 CET	443	49786	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:32.493181944 CET	49787	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.493190050 CET	443	49787	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:32.493479013 CET	49787	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.493594885 CET	49787	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:32.493601084 CET	443	49787	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:32.579679012 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:32.581995964 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:32.585719109 CET	443	49783	35.190.72.216	192.168.2.4
Oct 31, 2024 01:43:32.585798025 CET	49783	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:32.586976051 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:32.590481043 CET	49783	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:32.590507030 CET	443	49783	35.190.72.216	192.168.2.4
Oct 31, 2024 01:43:32.590553045 CET	49783	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:32.590687990 CET	443	49783	35.190.72.216	192.168.2.4
Oct 31, 2024 01:43:32.590971947 CET	49783	443	192.168.2.4	35.190.72.216
Oct 31, 2024 01:43:32.592799902 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:32.597604990 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:32.608944893 CET	443	49784	35.201.103.21	192.168.2.4
Oct 31, 2024 01:43:32.609041929 CET	49784	443	192.168.2.4	35.201.103.21
Oct 31, 2024 01:43:32.614064932 CET	49784	443	192.168.2.4	35.201.103.21
Oct 31, 2024 01:43:32.614095926 CET	443	49784	35.201.103.21	192.168.2.4
Oct 31, 2024 01:43:32.614142895 CET	49784	443	192.168.2.4	35.201.103.21
Oct 31, 2024 01:43:32.614406109 CET	443	49784	35.201.103.21	192.168.2.4
Oct 31, 2024 01:43:32.614667892 CET	49784	443	192.168.2.4	35.201.103.21
Oct 31, 2024 01:43:32.626862049 CET	49788	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:32.626907110 CET	443	49788	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:32.627377033 CET	49788	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:32.627497911 CET	49788	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:32.627507925 CET	443	49788	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:32.706638098 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:32.719938993 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:32.722433090 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:32.727286100 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:32.768336058 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:32.847033024 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:32.899890900 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:33.112596989 CET	443	49787	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:33.112826109 CET	49787	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.115503073 CET	49787	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.115518093 CET	443	49787	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:33.115834951 CET	443	49786	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:33.115848064 CET	443	49787	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:33.115931034 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.119030952 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.119043112 CET	443	49786	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:33.119673014 CET	443	49786	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:33.121614933 CET	49787	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.121731997 CET	49787	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.121874094 CET	443	49787	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:33.122450113 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.122508049 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.122636080 CET	443	49786	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:33.123528957 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.123550892 CET	49787	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.123564959 CET	49786	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.126741886 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:33.131659985 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:33.142061949 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:33.142277002 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.144866943 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.144871950 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:33.145193100 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:33.147052050 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.147150040 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.147252083 CET	443	49785	35.244.181.201	192.168.2.4
Oct 31, 2024 01:43:33.147322893 CET	49785	443	192.168.2.4	35.244.181.201
Oct 31, 2024 01:43:33.239357948 CET	443	49788	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:33.239588022 CET	49788	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:33.242480040 CET	49788	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:33.242492914 CET	443	49788	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:33.242810965 CET	443	49788	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:33.244556904 CET	49788	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:33.244663954 CET	49788	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:33.244719028 CET	443	49788	34.149.100.209	192.168.2.4
Oct 31, 2024 01:43:33.244851112 CET	49788	443	192.168.2.4	34.149.100.209
Oct 31, 2024 01:43:33.254175901 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:33.257334948 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:33.262211084 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:33.301196098 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:33.381810904 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:33.432677031 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:34.738694906 CET	56618	443	192.168.2.4	142.251.116.101
Oct 31, 2024 01:43:34.738725901 CET	443	56618	142.251.116.101	192.168.2.4
Oct 31, 2024 01:43:34.738877058 CET	56618	443	192.168.2.4	142.251.116.101
Oct 31, 2024 01:43:34.738980055 CET	56618	443	192.168.2.4	142.251.116.101
Oct 31, 2024 01:43:34.738986969 CET	443	56618	142.251.116.101	192.168.2.4
Oct 31, 2024 01:43:35.348828077 CET	443	56618	142.251.116.101	192.168.2.4
Oct 31, 2024 01:43:35.348920107 CET	56618	443	192.168.2.4	142.251.116.101
Oct 31, 2024 01:43:35.350043058 CET	443	56618	142.251.116.101	192.168.2.4
Oct 31, 2024 01:43:35.350099087 CET	56618	443	192.168.2.4	142.251.116.101
Oct 31, 2024 01:43:35.353142977 CET	56618	443	192.168.2.4	142.251.116.101
Oct 31, 2024 01:43:35.353153944 CET	443	56618	142.251.116.101	192.168.2.4
Oct 31, 2024 01:43:35.353486061 CET	443	56618	142.251.116.101	192.168.2.4
Oct 31, 2024 01:43:35.355938911 CET	56618	443	192.168.2.4	142.251.116.101
Oct 31, 2024 01:43:35.356034994 CET	56618	443	192.168.2.4	142.251.116.101
Oct 31, 2024 01:43:35.356136084 CET	443	56618	142.251.116.101	192.168.2.4
Oct 31, 2024 01:43:35.357853889 CET	56618	443	192.168.2.4	142.251.116.101
Oct 31, 2024 01:43:35.361236095 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:35.366116047 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:35.488230944 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:35.490300894 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:35.495203972 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:35.538734913 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:35.614943027 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:35.661144018 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:45.490386009 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:45.495307922 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:45.621931076 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:45.626912117 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:51.701481104 CET	56619	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:51.701605082 CET	443	56619	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:51.708317995 CET	56619	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:51.710000038 CET	56619	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:51.710038900 CET	443	56619	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:52.333422899 CET	443	56619	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:52.333462954 CET	443	56619	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:52.341283083 CET	56619	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:52.345172882 CET	56619	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:52.345204115 CET	443	56619	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:52.345266104 CET	56619	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:52.345432043 CET	443	56619	34.107.243.93	192.168.2.4
Oct 31, 2024 01:43:52.346390009 CET	56619	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:43:52.347857952 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:52.352741957 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:52.475739956 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:52.478883028 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:52.483727932 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:52.526185989 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:43:52.603266954 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:43:52.657776117 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:00.906883001 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:00.911735058 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:01.032746077 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:01.035586119 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:01.040374041 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:01.080173969 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:01.159641027 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:01.211699009 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:02.106795073 CET	56646	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.106842041 CET	443	56646	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.106941938 CET	56647	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.106976032 CET	443	56647	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.107228994 CET	56648	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.107244968 CET	443	56648	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.108187914 CET	56646	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.108191967 CET	56647	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.108194113 CET	56648	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.108380079 CET	56646	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.108414888 CET	443	56646	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.108586073 CET	56647	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.108602047 CET	443	56647	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.108668089 CET	56648	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.108679056 CET	443	56648	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.726237059 CET	443	56647	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.726334095 CET	56647	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.726599932 CET	443	56648	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.726911068 CET	56648	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.729646921 CET	56647	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.729660034 CET	443	56647	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.729981899 CET	443	56647	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.731971025 CET	56648	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.731981993 CET	443	56648	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.732336998 CET	443	56648	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.734652996 CET	56647	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.734770060 CET	56647	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.734831095 CET	443	56647	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.734991074 CET	56648	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.735063076 CET	56648	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.735157013 CET	443	56648	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.735219002 CET	56647	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.735224009 CET	56648	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.739027977 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:02.743767977 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:02.754319906 CET	443	56646	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.754415035 CET	56646	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.757247925 CET	56646	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.757261038 CET	443	56646	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.758167028 CET	443	56646	34.120.208.123	192.168.2.4
Oct 31, 2024 01:44:02.759170055 CET	56646	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.759299040 CET	56646	443	192.168.2.4	34.120.208.123
Oct 31, 2024 01:44:02.865299940 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:02.893291950 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:02.898140907 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:02.916538000 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:03.017174006 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:03.073915005 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:12.867204905 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:12.872112036 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:13.036345005 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:13.041162968 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:22.879534006 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:22.884340048 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:23.049139977 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:23.053952932 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:32.443573952 CET	56813	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:44:32.443610907 CET	443	56813	34.107.243.93	192.168.2.4
Oct 31, 2024 01:44:32.443758011 CET	56813	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:44:32.445220947 CET	56813	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:44:32.445235968 CET	443	56813	34.107.243.93	192.168.2.4
Oct 31, 2024 01:44:32.893093109 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:32.897895098 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:33.051522017 CET	443	56813	34.107.243.93	192.168.2.4
Oct 31, 2024 01:44:33.051641941 CET	56813	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:44:33.055883884 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:33.057848930 CET	56813	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:44:33.057868958 CET	443	56813	34.107.243.93	192.168.2.4
Oct 31, 2024 01:44:33.057987928 CET	56813	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:44:33.058065891 CET	443	56813	34.107.243.93	192.168.2.4
Oct 31, 2024 01:44:33.058201075 CET	56813	443	192.168.2.4	34.107.243.93
Oct 31, 2024 01:44:33.060621977 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:33.064470053 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:33.066800117 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:33.189591885 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:33.193243980 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:33.198450089 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:33.240828991 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:33.317682028 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:33.378947020 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:43.207717896 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:43.213108063 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:43.339250088 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:43.347320080 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:53.235613108 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:53.240674019 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:44:53.351561069 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:44:53.356630087 CET	80	49755	34.107.221.82	192.168.2.4
Oct 31, 2024 01:45:03.242408991 CET	49751	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:45:03.247385979 CET	80	49751	34.107.221.82	192.168.2.4
Oct 31, 2024 01:45:03.358320951 CET	49755	80	192.168.2.4	34.107.221.82
Oct 31, 2024 01:45:03.363272905 CET	80	49755	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 01:43:03.286842108 CET	53137	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:03.294001102 CET	53	53137	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:03.296971083 CET	53418	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:03.304187059 CET	53	53418	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:04.692966938 CET	62317	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:04.736881971 CET	51771	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:04.743850946 CET	53	51771	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:04.755923033 CET	50830	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:04.763305902 CET	53	50830	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:05.469150066 CET	53049	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:05.475909948 CET	53	53049	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:05.480571032 CET	58450	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:05.487324953 CET	53	58450	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:05.497914076 CET	57953	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:05.504538059 CET	53	57953	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:05.707882881 CET	55352	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:05.709435940 CET	58809	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:05.714740038 CET	53	55352	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:05.716018915 CET	53	58809	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:05.948048115 CET	57029	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:06.207135916 CET	54515	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:06.214008093 CET	53	54515	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:06.215739965 CET	63224	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:06.220923901 CET	50950	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:06.224607944 CET	53	63224	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:06.225506067 CET	55245	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:06.227914095 CET	53	50950	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:06.228382111 CET	49357	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:06.232259035 CET	53	55245	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:06.232744932 CET	51895	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:06.235266924 CET	53	49357	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:06.239712000 CET	53	51895	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:06.299532890 CET	55684	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:06.306611061 CET	53	55684	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:06.322700024 CET	62388	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:06.330044031 CET	53	62388	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:06.484884024 CET	61264	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:06.491662025 CET	53	61264	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:06.492748976 CET	64547	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:06.499547958 CET	53	64547	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:06.500686884 CET	62925	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:06.507278919 CET	53	62925	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:06.700213909 CET	58178	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:06.734052896 CET	53	51035	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:08.674050093 CET	50791	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:08.681586027 CET	53	50791	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:08.686517954 CET	53569	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:08.693265915 CET	53	53569	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:08.696554899 CET	62954	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:08.703450918 CET	53	62954	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:08.964868069 CET	52003	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:08.971940994 CET	53	52003	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:08.972465992 CET	61553	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:08.979336977 CET	53	61553	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:09.084403038 CET	59754	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:09.091223001 CET	53	59754	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:09.102514029 CET	63454	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:09.110085964 CET	53	63454	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:09.132349968 CET	60670	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:09.139400005 CET	53	60670	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:11.542315960 CET	62119	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:11.549263000 CET	53	62119	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:11.555440903 CET	58529	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:11.589958906 CET	53	58529	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:11.591264963 CET	56555	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:11.639698982 CET	53	56555	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.564301968 CET	57043	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.571655989 CET	53	57043	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.805768013 CET	63855	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.806149006 CET	55076	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.809061050 CET	56815	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.812865973 CET	53	55076	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.813452959 CET	53	63855	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.815871954 CET	53	56815	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.817045927 CET	53958	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.817624092 CET	64258	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.824263096 CET	53	53958	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.824399948 CET	53	64258	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.826565981 CET	62267	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.831361055 CET	50269	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.833923101 CET	53	62267	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.834194899 CET	58103	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.838195086 CET	53	50269	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.840919971 CET	53	58103	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.846956015 CET	51262	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.847260952 CET	49678	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.847409010 CET	60008	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.854089975 CET	53	49678	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.854130983 CET	53	60008	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.854142904 CET	53	51262	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.860053062 CET	58697	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.860502005 CET	52239	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.866707087 CET	53	58697	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.867002964 CET	53	52239	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.868032932 CET	59297	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.875722885 CET	53	59297	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:15.879228115 CET	63213	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:15.886663914 CET	53	63213	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:20.297887087 CET	56380	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:20.304546118 CET	53	56380	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:21.726460934 CET	60859	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:21.733164072 CET	53	60859	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:31.056135893 CET	54647	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:31.063028097 CET	53	54647	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:31.820521116 CET	62390	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:31.822489023 CET	60494	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:31.828855038 CET	62211	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:31.829452038 CET	53	60494	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:31.836220980 CET	53	62211	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:31.836913109 CET	49754	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:31.837023973 CET	53	62390	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:31.838500977 CET	52173	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:31.843547106 CET	53	49754	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:31.846927881 CET	53	52173	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:31.852511883 CET	55706	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:31.859632969 CET	53	55706	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:31.975373983 CET	60842	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:31.983123064 CET	53	60842	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:31.989108086 CET	60041	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:31.997826099 CET	53	60041	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:32.019355059 CET	62065	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:32.027322054 CET	53	62065	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:32.053489923 CET	56595	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:32.060132980 CET	53	56595	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:32.582329988 CET	53059	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:32.627305984 CET	62414	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:32.633879900 CET	53	62414	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:34.126051903 CET	53	49339	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:51.692111969 CET	60949	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:51.699156046 CET	53	60949	1.1.1.1	192.168.2.4
Oct 31, 2024 01:43:51.700550079 CET	60662	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:43:51.708616972 CET	53	60662	1.1.1.1	192.168.2.4
Oct 31, 2024 01:44:00.907078028 CET	51233	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:44:02.098378897 CET	62539	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:44:02.105565071 CET	53	62539	1.1.1.1	192.168.2.4
Oct 31, 2024 01:44:02.740407944 CET	49542	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:44:02.747140884 CET	53	49542	1.1.1.1	192.168.2.4
Oct 31, 2024 01:44:32.444149017 CET	59805	53	192.168.2.4	1.1.1.1
Oct 31, 2024 01:44:32.450862885 CET	53	59805	1.1.1.1	192.168.2.4
Oct 31, 2024 01:44:33.060859919 CET	50613	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 01:43:03.286842108 CET	192.168.2.4	1.1.1.1	0xf601	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:03.296971083 CET	192.168.2.4	1.1.1.1	0x69c0	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 01:43:04.692966938 CET	192.168.2.4	1.1.1.1	0x3110	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:04.736881971 CET	192.168.2.4	1.1.1.1	0x8ede	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:04.755923033 CET	192.168.2.4	1.1.1.1	0x674b	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 01:43:05.469150066 CET	192.168.2.4	1.1.1.1	0xbb51	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:05.480571032 CET	192.168.2.4	1.1.1.1	0xa868	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:05.497914076 CET	192.168.2.4	1.1.1.1	0xd241	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 31, 2024 01:43:05.707882881 CET	192.168.2.4	1.1.1.1	0x722f	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:05.709435940 CET	192.168.2.4	1.1.1.1	0x4fe4	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:05.948048115 CET	192.168.2.4	1.1.1.1	0x4e85	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.207135916 CET	192.168.2.4	1.1.1.1	0x6227	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.215739965 CET	192.168.2.4	1.1.1.1	0x674	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.220923901 CET	192.168.2.4	1.1.1.1	0x311a	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.225506067 CET	192.168.2.4	1.1.1.1	0x51e9	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.228382111 CET	192.168.2.4	1.1.1.1	0xc9b8	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 01:43:06.232744932 CET	192.168.2.4	1.1.1.1	0x2481	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 01:43:06.299532890 CET	192.168.2.4	1.1.1.1	0x353	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.322700024 CET	192.168.2.4	1.1.1.1	0xfdc9	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 01:43:06.484884024 CET	192.168.2.4	1.1.1.1	0x1599	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.492748976 CET	192.168.2.4	1.1.1.1	0x1840	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.500686884 CET	192.168.2.4	1.1.1.1	0xab4c	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 01:43:06.700213909 CET	192.168.2.4	1.1.1.1	0x8558	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:08.674050093 CET	192.168.2.4	1.1.1.1	0x7f9d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:08.686517954 CET	192.168.2.4	1.1.1.1	0x7117	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:08.696554899 CET	192.168.2.4	1.1.1.1	0x7417	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 01:43:08.964868069 CET	192.168.2.4	1.1.1.1	0x167d	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:08.972465992 CET	192.168.2.4	1.1.1.1	0x7e6	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 01:43:09.084403038 CET	192.168.2.4	1.1.1.1	0xfad7	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:09.102514029 CET	192.168.2.4	1.1.1.1	0x50ed	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:09.132349968 CET	192.168.2.4	1.1.1.1	0x8843	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 01:43:11.542315960 CET	192.168.2.4	1.1.1.1	0xd950	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:11.555440903 CET	192.168.2.4	1.1.1.1	0x6ce3	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:11.591264963 CET	192.168.2.4	1.1.1.1	0xc5b6	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 01:43:15.564301968 CET	192.168.2.4	1.1.1.1	0xebb2	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 01:43:15.805768013 CET	192.168.2.4	1.1.1.1	0x8af1	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.806149006 CET	192.168.2.4	1.1.1.1	0x4c1c	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.809061050 CET	192.168.2.4	1.1.1.1	0xa6b	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.817045927 CET	192.168.2.4	1.1.1.1	0x17be	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.817624092 CET	192.168.2.4	1.1.1.1	0xded7	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.826565981 CET	192.168.2.4	1.1.1.1	0x88fb	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 31, 2024 01:43:15.831361055 CET	192.168.2.4	1.1.1.1	0xea31	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.834194899 CET	192.168.2.4	1.1.1.1	0x6fc8	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 31, 2024 01:43:15.846956015 CET	192.168.2.4	1.1.1.1	0x7e46	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.847260952 CET	192.168.2.4	1.1.1.1	0xf0e	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.847409010 CET	192.168.2.4	1.1.1.1	0x1adb	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 31, 2024 01:43:15.860053062 CET	192.168.2.4	1.1.1.1	0x6eef	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.860502005 CET	192.168.2.4	1.1.1.1	0x721e	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.868032932 CET	192.168.2.4	1.1.1.1	0xaa64	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 31, 2024 01:43:15.879228115 CET	192.168.2.4	1.1.1.1	0xbbb2	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 31, 2024 01:43:20.297887087 CET	192.168.2.4	1.1.1.1	0x3ba5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 01:43:21.726460934 CET	192.168.2.4	1.1.1.1	0xb224	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 01:43:31.056135893 CET	192.168.2.4	1.1.1.1	0xb926	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 01:43:31.820521116 CET	192.168.2.4	1.1.1.1	0x67f3	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.822489023 CET	192.168.2.4	1.1.1.1	0x810c	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 01:43:31.828855038 CET	192.168.2.4	1.1.1.1	0x2469	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.836913109 CET	192.168.2.4	1.1.1.1	0x47f5	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 31, 2024 01:43:31.838500977 CET	192.168.2.4	1.1.1.1	0x6da6	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.852511883 CET	192.168.2.4	1.1.1.1	0xfbd3	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 31, 2024 01:43:31.975373983 CET	192.168.2.4	1.1.1.1	0x285e	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.989108086 CET	192.168.2.4	1.1.1.1	0x7759	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:32.019355059 CET	192.168.2.4	1.1.1.1	0xd079	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:32.053489923 CET	192.168.2.4	1.1.1.1	0xdaf7	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 01:43:32.582329988 CET	192.168.2.4	1.1.1.1	0x45bb	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:32.627305984 CET	192.168.2.4	1.1.1.1	0xb5c4	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:51.692111969 CET	192.168.2.4	1.1.1.1	0x964	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:51.700550079 CET	192.168.2.4	1.1.1.1	0x3a91	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 01:44:00.907078028 CET	192.168.2.4	1.1.1.1	0xc35d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:44:02.098378897 CET	192.168.2.4	1.1.1.1	0xd084	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 01:44:02.740407944 CET	192.168.2.4	1.1.1.1	0xba19	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:44:32.444149017 CET	192.168.2.4	1.1.1.1	0x14b0	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 31, 2024 01:44:33.060859919 CET	192.168.2.4	1.1.1.1	0x2ed9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 01:43:03.279553890 CET	1.1.1.1	192.168.2.4	0x1674	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:03.294001102 CET	1.1.1.1	192.168.2.4	0xf601	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:04.699656010 CET	1.1.1.1	192.168.2.4	0x3110	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:04.699656010 CET	1.1.1.1	192.168.2.4	0x3110	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:04.743850946 CET	1.1.1.1	192.168.2.4	0x8ede	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:04.763305902 CET	1.1.1.1	192.168.2.4	0x674b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 31, 2024 01:43:05.475909948 CET	1.1.1.1	192.168.2.4	0xbb51	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:05.487324953 CET	1.1.1.1	192.168.2.4	0xa868	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:05.504538059 CET	1.1.1.1	192.168.2.4	0xd241	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 31, 2024 01:43:05.714740038 CET	1.1.1.1	192.168.2.4	0x722f	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:05.716018915 CET	1.1.1.1	192.168.2.4	0x4fe4	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:05.716018915 CET	1.1.1.1	192.168.2.4	0x4fe4	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:05.954974890 CET	1.1.1.1	192.168.2.4	0x4e85	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:05.954974890 CET	1.1.1.1	192.168.2.4	0x4e85	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.214008093 CET	1.1.1.1	192.168.2.4	0x6227	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.224607944 CET	1.1.1.1	192.168.2.4	0x674	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:06.224607944 CET	1.1.1.1	192.168.2.4	0x674	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.227914095 CET	1.1.1.1	192.168.2.4	0x311a	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.232259035 CET	1.1.1.1	192.168.2.4	0x51e9	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.298405886 CET	1.1.1.1	192.168.2.4	0x21c7	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:06.298405886 CET	1.1.1.1	192.168.2.4	0x21c7	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.306611061 CET	1.1.1.1	192.168.2.4	0x353	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.491662025 CET	1.1.1.1	192.168.2.4	0x1599	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:06.491662025 CET	1.1.1.1	192.168.2.4	0x1599	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:06.491662025 CET	1.1.1.1	192.168.2.4	0x1599	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.499547958 CET	1.1.1.1	192.168.2.4	0x1840	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:06.507278919 CET	1.1.1.1	192.168.2.4	0xab4c	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 31, 2024 01:43:06.709216118 CET	1.1.1.1	192.168.2.4	0x8558	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:08.681586027 CET	1.1.1.1	192.168.2.4	0x7f9d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:08.693265915 CET	1.1.1.1	192.168.2.4	0x7117	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:08.960705042 CET	1.1.1.1	192.168.2.4	0x15f4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:08.971940994 CET	1.1.1.1	192.168.2.4	0x167d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:09.091223001 CET	1.1.1.1	192.168.2.4	0xfad7	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:09.091223001 CET	1.1.1.1	192.168.2.4	0xfad7	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:09.110085964 CET	1.1.1.1	192.168.2.4	0x50ed	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:09.149624109 CET	1.1.1.1	192.168.2.4	0x11fc	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:09.149624109 CET	1.1.1.1	192.168.2.4	0x11fc	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:11.549263000 CET	1.1.1.1	192.168.2.4	0xd950	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:11.549263000 CET	1.1.1.1	192.168.2.4	0xd950	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:11.549263000 CET	1.1.1.1	192.168.2.4	0xd950	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:11.589958906 CET	1.1.1.1	192.168.2.4	0x6ce3	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:11.762892008 CET	1.1.1.1	192.168.2.4	0x288e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.812865973 CET	1.1.1.1	192.168.2.4	0x4c1c	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:15.812865973 CET	1.1.1.1	192.168.2.4	0x4c1c	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.813452959 CET	1.1.1.1	192.168.2.4	0x8af1	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.815871954 CET	1.1.1.1	192.168.2.4	0xa6b	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:15.815871954 CET	1.1.1.1	192.168.2.4	0xa6b	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.824263096 CET	1.1.1.1	192.168.2.4	0x17be	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.824399948 CET	1.1.1.1	192.168.2.4	0xded7	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.833923101 CET	1.1.1.1	192.168.2.4	0x88fb	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.838195086 CET	1.1.1.1	192.168.2.4	0xea31	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.840919971 CET	1.1.1.1	192.168.2.4	0x6fc8	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 31, 2024 01:43:15.854089975 CET	1.1.1.1	192.168.2.4	0xf0e	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.854130983 CET	1.1.1.1	192.168.2.4	0x1adb	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 01:43:15.854130983 CET	1.1.1.1	192.168.2.4	0x1adb	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 01:43:15.854130983 CET	1.1.1.1	192.168.2.4	0x1adb	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 01:43:15.854130983 CET	1.1.1.1	192.168.2.4	0x1adb	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 31, 2024 01:43:15.854142904 CET	1.1.1.1	192.168.2.4	0x7e46	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:15.854142904 CET	1.1.1.1	192.168.2.4	0x7e46	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.854142904 CET	1.1.1.1	192.168.2.4	0x7e46	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.854142904 CET	1.1.1.1	192.168.2.4	0x7e46	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.854142904 CET	1.1.1.1	192.168.2.4	0x7e46	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.866707087 CET	1.1.1.1	192.168.2.4	0x6eef	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.867002964 CET	1.1.1.1	192.168.2.4	0x721e	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.867002964 CET	1.1.1.1	192.168.2.4	0x721e	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.867002964 CET	1.1.1.1	192.168.2.4	0x721e	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:15.867002964 CET	1.1.1.1	192.168.2.4	0x721e	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.836220980 CET	1.1.1.1	192.168.2.4	0x2469	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.837023973 CET	1.1.1.1	192.168.2.4	0x67f3	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.837023973 CET	1.1.1.1	192.168.2.4	0x67f3	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.837023973 CET	1.1.1.1	192.168.2.4	0x67f3	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.837023973 CET	1.1.1.1	192.168.2.4	0x67f3	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.846927881 CET	1.1.1.1	192.168.2.4	0x6da6	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.846927881 CET	1.1.1.1	192.168.2.4	0x6da6	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.846927881 CET	1.1.1.1	192.168.2.4	0x6da6	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.846927881 CET	1.1.1.1	192.168.2.4	0x6da6	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.859632969 CET	1.1.1.1	192.168.2.4	0xfbd3	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 01:43:31.859632969 CET	1.1.1.1	192.168.2.4	0xfbd3	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 01:43:31.859632969 CET	1.1.1.1	192.168.2.4	0xfbd3	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 01:43:31.859632969 CET	1.1.1.1	192.168.2.4	0xfbd3	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Oct 31, 2024 01:43:31.983123064 CET	1.1.1.1	192.168.2.4	0x285e	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:31.983123064 CET	1.1.1.1	192.168.2.4	0x285e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:31.997826099 CET	1.1.1.1	192.168.2.4	0x7759	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:31.997826099 CET	1.1.1.1	192.168.2.4	0x7759	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:32.027322054 CET	1.1.1.1	192.168.2.4	0xd079	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:32.589680910 CET	1.1.1.1	192.168.2.4	0x45bb	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:32.589680910 CET	1.1.1.1	192.168.2.4	0x45bb	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:32.633879900 CET	1.1.1.1	192.168.2.4	0xb5c4	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:32.633879900 CET	1.1.1.1	192.168.2.4	0xb5c4	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:43:33.159286022 CET	1.1.1.1	192.168.2.4	0xfa09	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:33.159286022 CET	1.1.1.1	192.168.2.4	0xfa09	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:43:51.699156046 CET	1.1.1.1	192.168.2.4	0x964	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:44:00.913964987 CET	1.1.1.1	192.168.2.4	0xc35d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:44:00.913964987 CET	1.1.1.1	192.168.2.4	0xc35d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:44:02.104923010 CET	1.1.1.1	192.168.2.4	0x9e2f	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:44:02.747140884 CET	1.1.1.1	192.168.2.4	0xba19	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 31, 2024 01:44:33.068968058 CET	1.1.1.1	192.168.2.4	0x2ed9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 01:44:33.068968058 CET	1.1.1.1	192.168.2.4	0x2ed9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	34.107.221.82	80	2148	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 01:43:04.755084038 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:05.345262051 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72712 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	34.107.221.82	80	2148	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 01:43:05.967562914 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:06.572468996 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72735 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49751	34.107.221.82	80	2148	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 01:43:07.178574085 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:07.783927917 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72714 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:08.206552982 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:08.332854986 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72715 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:09.421612024 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:09.762481928 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72716 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:09.781953096 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72716 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:11.659171104 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:11.785599947 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72718 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:15.837053061 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:15.964945078 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72722 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:17.555979967 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:18.033806086 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72724 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:18.034188986 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72724 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:20.296917915 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:20.424052954 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72727 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:21.698784113 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:21.824934006 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72728 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:22.348197937 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:22.474431038 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72729 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:31.681210995 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:31.808176041 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72738 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:32.452764988 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:32.579679012 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72739 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:32.592799902 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:32.719938993 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72739 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:33.126741886 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:33.254175901 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72740 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:35.361236095 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:35.488230944 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72742 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:43:45.490386009 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 01:43:52.347857952 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:43:52.475739956 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72759 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:44:00.906883001 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:44:01.032746077 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72767 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:44:02.739027977 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:44:02.865299940 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72769 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:44:12.867204905 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 01:44:22.879534006 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 01:44:32.893093109 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 01:44:33.060621977 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 31, 2024 01:44:33.189591885 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Wed, 30 Oct 2024 04:31:13 GMT Age: 72800 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 31, 2024 01:44:43.207717896 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 01:44:53.235613108 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 01:45:03.242408991 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49754	34.107.221.82	80	2148	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 01:43:08.221698046 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49755	34.107.221.82	80	2148	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 01:43:08.672416925 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:09.269602060 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72738 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:11.544599056 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:11.669164896 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72740 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:15.803760052 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:15.929071903 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72744 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:17.532421112 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:17.657666922 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72746 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:18.034132957 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72746 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:18.425421953 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:18.549930096 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72747 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:21.697709084 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:21.822144032 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72750 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:21.917046070 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:22.041520119 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72750 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:22.477497101 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:22.602087021 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72751 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:31.824538946 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:31.948792934 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72760 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:32.581995964 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:32.706638098 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72761 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:32.722433090 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:32.847033024 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72761 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:33.257334948 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:33.381810904 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72762 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:35.490300894 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:35.614943027 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72764 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:43:45.621931076 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 01:43:52.478883028 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:43:52.603266954 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72781 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:44:01.035586119 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:44:01.159641027 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72790 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:44:02.893291950 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:44:03.017174006 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72791 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:44:13.036345005 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 01:44:23.049139977 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 01:44:33.055883884 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 01:44:33.193243980 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 31, 2024 01:44:33.317682028 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 30 Oct 2024 04:30:51 GMT Age: 72822 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 31, 2024 01:44:43.339250088 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 01:44:53.351561069 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 31, 2024 01:45:03.358320951 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	20:42:56
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x510000
File size:	919'552 bytes
MD5 hash:	DF53E224B7EC467A1AC0728FCA54456D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1733327729.0000000001596000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1733215318.000000000158F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:42:56
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xf00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:42:56
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:42:58
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xf00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:42:58
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:42:58
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xf00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:42:58
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:42:58
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xf00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:42:58
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x800000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:42:59
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xf00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:42:59
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:42:59
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:42:59
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:42:59
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	20:43:00
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91cd4a2b-72b0-4e46-bfad-91a36ec11847} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1973756fd10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	20:43:02
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4164 -parentBuildID 20230927232528 -prefsHandle 3300 -prefMapHandle 3412 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25bbe570-7f0f-4b01-9f5a-d7672c0a84e6} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 1973757b310 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	20:43:07
Start date:	30/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5416 -prefMapHandle 5392 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8190c53c-95ea-4747-9d7c-b5fd9e2e76dd} 2148 "\\.\pipe\gecko-crash-server-pipe.2148" 19748c49d10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	1586
Total number of Limit Nodes:	58

Executed Functions

Function 005142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0051430D

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

GetCurrentProcess.KERNEL32(?,005ACB64,00000000,?,?), ref: 00514422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00514429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00514454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00514466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00514474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0051447B
GetSystemInfo.KERNEL32(?,?,?), ref: 005144A0

Strings

|O, xrefs: 005536F8
GetNativeSystemInfo, xrefs: 00514460
kernel32.dll, xrefs: 0051444F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9c8305d5dcf685a4b0f12ecb36f2286912806a6685b9f5acf30200da6524060d
Instruction ID: ac8a0bbb934b3f79df29d2195ded40d43c13280d5240523b76426081269d0183
Opcode Fuzzy Hash: 9c8305d5dcf685a4b0f12ecb36f2286912806a6685b9f5acf30200da6524060d
Instruction Fuzzy Hash: 7FA1E47190AAC0CFDB19C7697CC01D97FA57B3E780B285C99D4C59BA22D2704A4CEB39

Function 005142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005150AA,?,?,00000000,00000000), ref: 005142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005150AA,?,?,00000000,00000000), ref: 005142C9
LoadResource.KERNEL32(?,00000000,?,?,005150AA,?,?,00000000,00000000,?,?,?,?,?,?,00514F20), ref: 005535BE
SizeofResource.KERNEL32(?,00000000,?,?,005150AA,?,?,00000000,00000000,?,?,?,?,?,?,00514F20), ref: 005535D3
LockResource.KERNEL32(005150AA,?,?,005150AA,?,?,00000000,00000000,?,?,?,?,?,?,00514F20,?), ref: 005535E6

Strings

SCRIPT, xrefs: 005142BF

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 48154616b0d3bdbeceac9f668d8d361e85e1801ac70b02415dabd46cd6e3cbc2
Instruction ID: e5e0dc8853f89fc7c25ddc1ad19a9260f9aa9c733a047f7e9c79c4dffda4c798
Opcode Fuzzy Hash: 48154616b0d3bdbeceac9f668d8d361e85e1801ac70b02415dabd46cd6e3cbc2
Instruction Fuzzy Hash: B6117C78200701BFE7218B65DC48F677FBAFFD6B51F108169B41296250DB71D8449A20

Function 00552BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00512B6B

Part of subcall function 00513A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005E1418,?,00512E7F,?,?,?,00000000), ref: 00513A78

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,005D2224), ref: 00552C10
ShellExecuteW.SHELL32(00000000,?,?,005D2224), ref: 00552C17

Strings

runas, xrefs: 00552C0B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 49a78bd8dfd4f7d67803ca02ab566bcddb0a5423d608a0b6cc5200ef0ed917e9
Instruction ID: f702cb7e64c365209b1356b3a388479cdc678667a0ed7ac8af206a66260bd42c
Opcode Fuzzy Hash: 49a78bd8dfd4f7d67803ca02ab566bcddb0a5423d608a0b6cc5200ef0ed917e9
Instruction Fuzzy Hash: C411E7311083426AEB14FF20D8699FD7FA4BFE1351F04082EF182421A2CF318AC9D712

Function 0057D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0057D501
Process32FirstW.KERNEL32(00000000,?), ref: 0057D50F
Process32NextW.KERNEL32(00000000,?), ref: 0057D52F
CloseHandle.KERNELBASE(00000000), ref: 0057D5DC

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 48295adde6f564ff33f5dd67e6fe03865055bdf0c57b277dc5e1292b29985055
Instruction ID: 0cbd07d4ea5bc414d7b2edae0afe1046bfdd6431b579897f7af5bc7426a4cc97
Opcode Fuzzy Hash: 48295adde6f564ff33f5dd67e6fe03865055bdf0c57b277dc5e1292b29985055
Instruction Fuzzy Hash: 2D318D71108301AFD301EF54D885AAFBFF8BFD9344F10492DF585821A1EB719988DBA2

Function 0057DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00555222), ref: 0057DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0057DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0057DBEE
FindClose.KERNEL32(00000000), ref: 0057DBFA

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d667dd7003aae2d823655a1aedfb75caaccad058711674bbbda24ed44d2af4e7
Instruction ID: f0e16c42470e8858e4035df2d2e7cfdca5165d8050b9322c8c5084dd2548bc3d
Opcode Fuzzy Hash: d667dd7003aae2d823655a1aedfb75caaccad058711674bbbda24ed44d2af4e7
Instruction Fuzzy Hash: 36F0A0308109105783216B78AC0D8AA3FBCAF42334B108702F87AC20E0EBB05D58EAA5

Function 00534CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005428E9,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002,00000000,?,005428E9), ref: 00534D09
TerminateProcess.KERNEL32(00000000,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002,00000000,?,005428E9), ref: 00534D10
ExitProcess.KERNEL32 ref: 00534D22

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 82bd4bc6b819be00dd79d5582f8343fdd539c6cf3c8a409646c44832efbf5928
Instruction ID: ecd0645cbbe328e136bc984cf64a200a30c7cdb28f7f02806e61409061b09998
Opcode Fuzzy Hash: 82bd4bc6b819be00dd79d5582f8343fdd539c6cf3c8a409646c44832efbf5928
Instruction Fuzzy Hash: 2FE0B631000149ABCF11AF54DD09A593F69FB92785F104814FC059A132CB35ED46DE80

Function 0051BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#^, xrefs: 005607CE

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#^
API String ID: 3964851224-2580200144
Opcode ID: 6244c6126ad68ef52789b87f9e2a5a74c538737c1166baa1c204131483369459
Instruction ID: 180d47d191b079c4de38bfffd8ad49dc2cea871e64a4e535c356fef6e14eddb3
Opcode Fuzzy Hash: 6244c6126ad68ef52789b87f9e2a5a74c538737c1166baa1c204131483369459
Instruction Fuzzy Hash: 0DA26B706083419FD714DF18C484B6ABFE1BF89304F14896DE89A9B392D772EC85CB92

Function 0059AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0059B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0059B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0059B1D4
_wcslen.LIBCMT ref: 0059B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0059B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0059B236
_wcslen.LIBCMT ref: 0059B332

Part of subcall function 005805A7: GetStdHandle.KERNEL32(000000F6), ref: 005805C6

_wcslen.LIBCMT ref: 0059B34B
_wcslen.LIBCMT ref: 0059B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0059B3B6
GetLastError.KERNEL32(00000000), ref: 0059B407
CloseHandle.KERNEL32(?), ref: 0059B439
CloseHandle.KERNEL32(00000000), ref: 0059B44A
CloseHandle.KERNEL32(00000000), ref: 0059B45C
CloseHandle.KERNEL32(00000000), ref: 0059B46E
CloseHandle.KERNEL32(?), ref: 0059B4E3

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 43a43014b1f580ad8b960684a5f6ab0ab09a79e9713ab0665f4e669329167644
Instruction ID: 22fa9e0d10ca38dedbe654ad8102f7799fe74ffb57dea26696b9a8f2fa066a33
Opcode Fuzzy Hash: 43a43014b1f580ad8b960684a5f6ab0ab09a79e9713ab0665f4e669329167644
Instruction Fuzzy Hash: 20F189316043019FEB14EF24D999B6ABFE5BF85310F14895DF8899B2A2DB31EC44CB52

Function 0051D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0051D807
timeGetTime.WINMM ref: 0051DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051DB28
TranslateMessage.USER32(?), ref: 0051DB7B
DispatchMessageW.USER32(?), ref: 0051DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051DB9F
Sleep.KERNELBASE(0000000A), ref: 0051DBB1

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: ad42cfc20099b20138ad7b3a5367ebde2d2416db92e4700259c1c08a97043fd1
Instruction ID: fd57dc7d5e94747b1b16466e0e835fa13b7976316c91f25d005dd059956decd9
Opcode Fuzzy Hash: ad42cfc20099b20138ad7b3a5367ebde2d2416db92e4700259c1c08a97043fd1
Instruction Fuzzy Hash: EE42C5706087429FE728CF24C888BAABFF4BF95304F14495DE4958B291D774E884DFA2

Function 00512CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00512D07
RegisterClassExW.USER32(00000030), ref: 00512D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00512D42
InitCommonControlsEx.COMCTL32(?), ref: 00512D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00512D6F
LoadIconW.USER32(000000A9), ref: 00512D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00512D94

Strings

AutoIt v3 GUI, xrefs: 00512D23
0, xrefs: 00512CE9
+, xrefs: 00512CF0
TaskbarCreated, xrefs: 00512D37

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 05a03a51e42841c1cd0665a3e8ae9cb0c71c7fa4468e5983488920ca7cf30ad6
Instruction ID: f143d0c6b0c80f3b561a8e98a00846a8f3dcc9a9066f4841c4aa78f998568ed5
Opcode Fuzzy Hash: 05a03a51e42841c1cd0665a3e8ae9cb0c71c7fa4468e5983488920ca7cf30ad6
Instruction Fuzzy Hash: F021E3B5901258AFDB00DFA4E889BDDBFB4FB19700F00811AF551EA2A0D7B50548EFA4

Function 0055065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0055039A: CreateFileW.KERNELBASE(00000000,00000000,?,00550704,?,?,00000000,?,00550704,00000000,0000000C), ref: 005503B7

GetLastError.KERNEL32 ref: 0055076F
__dosmaperr.LIBCMT ref: 00550776
GetFileType.KERNELBASE(00000000), ref: 00550782
GetLastError.KERNEL32 ref: 0055078C
__dosmaperr.LIBCMT ref: 00550795
CloseHandle.KERNEL32(00000000), ref: 005507B5
CloseHandle.KERNEL32(?), ref: 005508FF
GetLastError.KERNEL32 ref: 00550931
__dosmaperr.LIBCMT ref: 00550938

Strings

H, xrefs: 005508BD

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d391549f42ad372cd4da605374c614e6c34598012bd20f1ceba67b5255ef5fab
Instruction ID: 86c9dab704b1307408f9815d7b70e31a8ce6c6967f8c5cd898817c4fe478aa28
Opcode Fuzzy Hash: d391549f42ad372cd4da605374c614e6c34598012bd20f1ceba67b5255ef5fab
Instruction Fuzzy Hash: 7DA14636A101058FDF19AF68DCA5BAE3FA0FB46321F14115AFC119F2D1DB31981ADB91

Function 0051344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00513A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005E1418,?,00512E7F,?,?,?,00000000), ref: 00513A78

Part of subcall function 00513357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00513379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0051356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0055318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005531CE
RegCloseKey.ADVAPI32(?), ref: 00553210
_wcslen.LIBCMT ref: 00553277
_wcslen.LIBCMT ref: 00553286

Strings

\, xrefs: 0055328C
Include, xrefs: 00553184, 005531C5
Software\AutoIt v3\AutoIt, xrefs: 00513560
\Include\, xrefs: 00513527

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 8b1603e3cdd3a94386e423249b5f248d7ed76782cc7443d9aeeefbf5c27e7617
Instruction ID: 92f4a2eb1b32ecace75e30f4bbb629a098089ed271d80905e5beff44e7be68d5
Opcode Fuzzy Hash: 8b1603e3cdd3a94386e423249b5f248d7ed76782cc7443d9aeeefbf5c27e7617
Instruction Fuzzy Hash: 23716D714043419ED318DF65DC969ABBFE8BF99740F40082EF585871A4EB709A88DF61

Function 00512B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00512B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00512B9D
LoadIconW.USER32(00000063), ref: 00512BB3
LoadIconW.USER32(000000A4), ref: 00512BC5
LoadIconW.USER32(000000A2), ref: 00512BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00512BEF
RegisterClassExW.USER32(?), ref: 00512C40

Part of subcall function 00512CD4: GetSysColorBrush.USER32(0000000F), ref: 00512D07
Part of subcall function 00512CD4: RegisterClassExW.USER32(00000030), ref: 00512D31
Part of subcall function 00512CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00512D42
Part of subcall function 00512CD4: InitCommonControlsEx.COMCTL32(?), ref: 00512D5F
Part of subcall function 00512CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00512D6F
Part of subcall function 00512CD4: LoadIconW.USER32(000000A9), ref: 00512D85
Part of subcall function 00512CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00512D94

Strings

#, xrefs: 00512C16
0, xrefs: 00512C0F
AutoIt v3, xrefs: 00512C2F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c8c7ba3d9ffbf7dad13689c7b0c4d9a9b61d5d69ee38b5dec210e6b8c6c1a51e
Instruction ID: ab420cb404ae0d20ee839d5fdab40278d11b92ac88542dcbe3edf1425b223d21
Opcode Fuzzy Hash: c8c7ba3d9ffbf7dad13689c7b0c4d9a9b61d5d69ee38b5dec210e6b8c6c1a51e
Instruction Fuzzy Hash: 90216A70E00358AFDB149FA5EC89AAD7FF4FB1CB50F00041AE580AA7A0D3B10548EF88

Function 0051B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0051BB4E

Strings

p#^, xrefs: 0051BA72
p#^, xrefs: 0051BB6B
x#^, xrefs: 00560168
x#^, xrefs: 00560207
p%^, xrefs: 0051BB32
p#^, xrefs: 0056024F
p%^, xrefs: 0051B8DC
p#^, xrefs: 00560263

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#^$p#^$p#^$p#^$p%^$p%^$x#^$x#^
API String ID: 1385522511-4203535142
Opcode ID: b3454789c6cf421d804655997e5273f1f32f2e59f4ebd367c96539c4fbd8d749
Instruction ID: ab7c176d0d6d1d13ccf653b3427978b31cdfbadf63a6a3eff6b17e545728e503
Opcode Fuzzy Hash: b3454789c6cf421d804655997e5273f1f32f2e59f4ebd367c96539c4fbd8d749
Instruction Fuzzy Hash: 6732BE35A00209EFEB14CF54C898ABEBFB9FF49314F148459E945AB391C774AD82CB91

Function 00513170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0051316A,?,?), ref: 005131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0051316A,?,?), ref: 00513204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00513227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0051316A,?,?), ref: 00513232
CreatePopupMenu.USER32 ref: 00513246
PostQuitMessage.USER32(00000000), ref: 00513267

Strings

TaskbarCreated, xrefs: 0051322D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 50daae57c2c84d453a3c3aba6bdf7661dea9d7be9e4876375b55130b2d6c7345
Instruction ID: 2ab847bb1c256f8f2e4315ca530101497210aa3205ea15995f18b23dfea5c71b
Opcode Fuzzy Hash: 50daae57c2c84d453a3c3aba6bdf7661dea9d7be9e4876375b55130b2d6c7345
Instruction Fuzzy Hash: E7414939240644B7FB186B78DC7DBFD3E59F756340F04052AF9528A1A1CB708AC8E7A5

Function 00511410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00511459
CoUninitialize.COMBASE ref: 005114F8
UnregisterHotKey.USER32(?), ref: 005116DD
DestroyWindow.USER32(?), ref: 005524B9
FreeLibrary.KERNEL32(?), ref: 0055251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0055254B

Strings

close all, xrefs: 00511454

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 10d15447c7f98f54702417cc64a86ce5e6c53b4398fd31a80765e62a8daaaad7
Instruction ID: 6868d8ac1e200b6f10c86dff4f2ce615e05f25ca166e739ad64f0d328634d7ee
Opcode Fuzzy Hash: 10d15447c7f98f54702417cc64a86ce5e6c53b4398fd31a80765e62a8daaaad7
Instruction Fuzzy Hash: 4AD1BD31701622CFEB19EF14D4A8A69FFA4BF46700F1441EEE94A6B252DB30AC56CF54

Function 00512C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00512C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00512CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00511CAD,?), ref: 00512CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00511CAD,?), ref: 00512CCF

Strings

edit, xrefs: 00512CAC
AutoIt v3, xrefs: 00512C89, 00512C8E, 00512C8F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 89165a7c98567d1cc41c631086db311e900b2983ca30c5ee3e8e3083fefe8e11
Instruction ID: b78191da6a19a4070b5bd1660b6506e9f4f27e897899a2873503c4c8845f81f5
Opcode Fuzzy Hash: 89165a7c98567d1cc41c631086db311e900b2983ca30c5ee3e8e3083fefe8e11
Instruction Fuzzy Hash: 1FF03A755402D07EEB300713AC88E773EBDE7EBF50B00045EF940AA5A0C6711848EAB8

Function 00513B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00513B0F,SwapMouseButtons,00000004,?), ref: 00513B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00513B0F,SwapMouseButtons,00000004,?), ref: 00513B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00513B0F,SwapMouseButtons,00000004,?), ref: 00513B83

Strings

Control Panel\Mouse, xrefs: 00513B3E

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 319631d09ed959d626de6772052e70475460ae4af12e77f925a05db88f3ffe56
Instruction ID: 09d53879e9682ef28836425b54e2f20288d6eab53c977c5ae174cfe8191ab0fe
Opcode Fuzzy Hash: 319631d09ed959d626de6772052e70475460ae4af12e77f925a05db88f3ffe56
Instruction Fuzzy Hash: 35112AB5514208FFEB208FA5DC58AEFBBB8FF05744B104859A805D7110E2319E84A760

Function 00513923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005533A2

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00513A04

Strings

Line: , xrefs: 005533EB

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 1ecf6b4d813d80c10a1d2d3f5ef16ae300b3de30b6865f820957ad0eb967b7ef
Instruction ID: 37012539bff7429e0e1a0e8109a5fc8a43f79459d6da61c8ef5df5daa4e78fbd
Opcode Fuzzy Hash: 1ecf6b4d813d80c10a1d2d3f5ef16ae300b3de30b6865f820957ad0eb967b7ef
Instruction Fuzzy Hash: 2431E271408301AAE325EB20DC59BEBBFD8BF94710F100D2AF59993091EB709688C7C6

Function 00512DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00552C8C

Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2

Part of subcall function 00512DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00512DC4

Strings

X, xrefs: 00552C5A
`e], xrefs: 00552C85

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e]
API String ID: 779396738-2761306869
Opcode ID: 233d51a63626955e37975bd671959e772abcd52637bf02909dccb5e526c68677
Instruction ID: 6c7f1b1fc690e06ec670124cc7bb6c773e2ca169bf0c90e93474dc7d2e786c83
Opcode Fuzzy Hash: 233d51a63626955e37975bd671959e772abcd52637bf02909dccb5e526c68677
Instruction Fuzzy Hash: 64218171A002589BDB41DF98D849BEE7FF8BF89305F00405AE405A7241DBB45A898F61

Function 0052FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00530668

Part of subcall function 005332A4: RaiseException.KERNEL32(?,?,?,0053068A,?,005E1444,?,?,?,?,?,?,0053068A,00511129,005D8738,00511129), ref: 00533304

__CxxThrowException@8.LIBVCRUNTIME ref: 00530685

Strings

Unknown exception, xrefs: 00530692

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 5f046944508990d77bcca195b3eb21cdaeacba7b5e0e1ffc2464641e2347036e
Instruction ID: 330f89fbd2b33b6d71b1ab31fef8c90d072caeb2ce816210f737f1f86866d3d9
Opcode Fuzzy Hash: 5f046944508990d77bcca195b3eb21cdaeacba7b5e0e1ffc2464641e2347036e
Instruction Fuzzy Hash: DEF0C23490030E77CF00B6A8E85AC9E7F7CBE81310F604532B824D65D5EF71EA65CA80

Function 005110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00511BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00511BF4
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00511BFC
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00511C07
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00511C12
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00511C1A
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00511C22

Part of subcall function 00511B4A: RegisterWindowMessageW.USER32(00000004,?,005112C4), ref: 00511BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0051136A
OleInitialize.OLE32 ref: 00511388
CloseHandle.KERNEL32(00000000,00000000), ref: 005524AB

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d9f1934d5bc0c945d4157bae68404e77a2955491e444033d96acdde581ce522f
Instruction ID: a2c1be7d9bad3e72d67d319451dd2cef8a1051d32bf9687fd9b9a2537118ac49
Opcode Fuzzy Hash: d9f1934d5bc0c945d4157bae68404e77a2955491e444033d96acdde581ce522f
Instruction Fuzzy Hash: 8F71C1B5905B818ED78CDF79A9C56993EE0FBA9340744416BD08ACF3A1EB304488EF4D

Function 0057C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00513923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00513A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0057C259
KillTimer.USER32(?,00000001,?,?), ref: 0057C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0057C270

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 84e430f0ea7d7c3f3f44777c474e6665588b1047e38d15e98f6fc299fc65fdcc
Instruction ID: 8268c38520dea522e2ad6d0c6ea99744c00fa1bb3e7c6e7c4814fcfdb04259e6
Opcode Fuzzy Hash: 84e430f0ea7d7c3f3f44777c474e6665588b1047e38d15e98f6fc299fc65fdcc
Instruction Fuzzy Hash: 9C31C574904744AFEB22CF64A895BEBBFECAB17304F00449DD2DE97242C7745A88DB51

Function 005486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,005485CC,?,005D8CC8,0000000C), ref: 00548704
GetLastError.KERNEL32(?,005485CC,?,005D8CC8,0000000C), ref: 0054870E
__dosmaperr.LIBCMT ref: 00548739

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 13746a9286d7fc3804120b1d10a8ee9d0988eada42a7bdc636fafadc96d8caf8
Instruction ID: ca96c30c1691fcba0cd7422c8e6215f49d8d2d32e340fa7d64285d3245ada209
Opcode Fuzzy Hash: 13746a9286d7fc3804120b1d10a8ee9d0988eada42a7bdc636fafadc96d8caf8
Instruction Fuzzy Hash: E0018E33A0426027D6A56B346889BFE2F59BBE277CF3A0519F8148B1D3EEB1CC819150

Function 0051DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0051DB7B
DispatchMessageW.USER32(?), ref: 0051DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051DB9F
Sleep.KERNELBASE(0000000A), ref: 0051DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00561CC9

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 63e18fd78ce78f31ea2fdcd4028c3206ac68d47b68e7d8c617a6442931273816
Instruction ID: b04c57b5133ee7231b73540fc7dc41ed18e125d81c195027c2f3adf0a976cd47
Opcode Fuzzy Hash: 63e18fd78ce78f31ea2fdcd4028c3206ac68d47b68e7d8c617a6442931273816
Instruction Fuzzy Hash: DBF05E306483809BFB34CB608C89FEA7BBCFB95310F104918E64A830C0DB30A488DB29

Function 00521310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005217F6

Strings

CALL, xrefs: 005217C6

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 701ca465d049f906559bdf9f3f96fa77e5efb5f10a65e07d621672db1480f763
Instruction ID: 6634c6f1f2c92b9a7d328588e81a4e2057efe7602474ce4a2ff8a8cee2b1219c
Opcode Fuzzy Hash: 701ca465d049f906559bdf9f3f96fa77e5efb5f10a65e07d621672db1480f763
Instruction Fuzzy Hash: 9422AB706086529FC714DF14E484A2BBFF1BFA6314F18896DF4868B3A2D731E845CB86

Function 00513837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00513908

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 733028056f64d79adee4306f92ca461db6d2bdca87065f33659f66aaa9822bdc
Instruction ID: a3104f05ad26b2e79550cb6a0e322f9f8e9617fb0eba3216efbd6ecfaa37af3a
Opcode Fuzzy Hash: 733028056f64d79adee4306f92ca461db6d2bdca87065f33659f66aaa9822bdc
Instruction Fuzzy Hash: 3D319C705057019FE720DF24D8947DBBFE8FB59708F00092EF99997240E771AA88DB56

Function 0052F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0052F661

Part of subcall function 0051D730: GetInputState.USER32 ref: 0051D807

Sleep.KERNEL32(00000000), ref: 0056F2DE

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 12a6b3d7e8acf3c36911949548642d6e51b677f8cb7934a2198f02dd5cec6bf1
Instruction ID: f6e850105bc36d4462306ecb572e2ca58b7f35d57296f5311e41e76973719d37
Opcode Fuzzy Hash: 12a6b3d7e8acf3c36911949548642d6e51b677f8cb7934a2198f02dd5cec6bf1
Instruction Fuzzy Hash: 0CF082312402169FE310EF65E449B9ABFF5FF96760F000029E859C72A0EB70A840CF90

Function 00514ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00514E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E9C
Part of subcall function 00514E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00514EAE
Part of subcall function 00514E90: FreeLibrary.KERNEL32(00000000,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EFD

Part of subcall function 00514E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E62
Part of subcall function 00514E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00514E74
Part of subcall function 00514E59: FreeLibrary.KERNEL32(00000000,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E87

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7194d4866a79915ef8ec09aabf73dce4a15e9113ac754805e5119d69ab1afc96
Instruction ID: 48b0312ac32c550c80d4d31d0f05ca6639ee46fab9d83a75a2a14cdf16941df8
Opcode Fuzzy Hash: 7194d4866a79915ef8ec09aabf73dce4a15e9113ac754805e5119d69ab1afc96
Instruction Fuzzy Hash: 7111C431600206AAEF15AB60D81AFED7FA5BFC0711F10442AF542AA2D1EE719E85DB50

Function 00548402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00548440

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 9d59626c12810cbc246622456b8a193d956298b931b56eeeb23c261f8471b7f1
Instruction ID: 618b61f8fe42da43e59964d0c08dde0c02aa4591aef5de213732375e3dde6d57
Opcode Fuzzy Hash: 9d59626c12810cbc246622456b8a193d956298b931b56eeeb23c261f8471b7f1
Instruction Fuzzy Hash: 5311257590410AAFCF09DF58E9449EE7BF8FF48308F144059F808AB352DA30DA118BA4

Function 00545000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00544C7D: RtlAllocateHeap.NTDLL(00000008,00511129,00000000,?,00542E29,00000001,00000364,?,?,?,0053F2DE,00543863,005E1444,?,0052FDF5,?), ref: 00544CBE

_free.LIBCMT ref: 0054506C

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: faf7293bcd45e29fdd4cd395ffc8697be0ccd866822b4e37b3ecc14e7bffd585
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 090126762047056BE3218E659889ADAFFE9FB89374F65051DE18883281EA30A805C6B4

Function 0053E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 6c5e10eb16971aa7c5077b82ff950d0662c1c295916054eef83bed6e1020f663
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 57F02D32510A1597D7313A65AC0FB9B3FE8BFD2339F100719F424931D1CB70D80186A5

Function 00544C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00511129,00000000,?,00542E29,00000001,00000364,?,?,?,0053F2DE,00543863,005E1444,?,0052FDF5,?), ref: 00544CBE

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b9e1522ed38326f20b62199e8f248f0d4790d6e57c2baea3e7d318970a886a16
Instruction ID: 4659401197991350d627ea968523f16c841bb239aadb1ac43c86834c658446de
Opcode Fuzzy Hash: b9e1522ed38326f20b62199e8f248f0d4790d6e57c2baea3e7d318970a886a16
Instruction Fuzzy Hash: 52F0E93168222567DB215F72AC8DBDB3F98BF917A9F1C4121BC15AA281CA30DC009EE0

Function 00543820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1fc77640f5bb0d2085960ab3dbfc0d280e7bce6a13504e8330d23459534c25dc
Instruction ID: 2f5f05b9be6bcdeb8d9d0c5cea27efbf4dca003c3cd192af6aa530af4a067f40
Opcode Fuzzy Hash: 1fc77640f5bb0d2085960ab3dbfc0d280e7bce6a13504e8330d23459534c25dc
Instruction Fuzzy Hash: F9E02B3110322596D7312A779C04BDBBF49BF927B8F050030BC14965B0DB21ED019AE1

Function 00514F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514F6D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 481e248888786dab5058cd4ea2bf296aa52614f0619bda266c4ebcc99ac3f866
Instruction ID: 2c9151721821c03295ce8f418c1f18d359c46c982612447c3d2c6a9ce3916412
Opcode Fuzzy Hash: 481e248888786dab5058cd4ea2bf296aa52614f0619bda266c4ebcc99ac3f866
Instruction Fuzzy Hash: B4F01571105792CFEB349F64E4948A2BFE4BF15329324997EE1EA86721C7319889DF10

Function 005A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005A2A66

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: f5a5ce2487b24e0711a4b4f9e999c03bd242d5e58d26657475bc8d3cb6fd7a9e
Instruction ID: 3b6dae236ee1baa2f905901f1685248ec44deaee45dc9ab563c0c579abfe236a
Opcode Fuzzy Hash: f5a5ce2487b24e0711a4b4f9e999c03bd242d5e58d26657475bc8d3cb6fd7a9e
Instruction Fuzzy Hash: 9CE0DF32340116AEC710EA34EC859FE7F4CFB91390B004836AC2AD2100DB308985A6B0

Function 005130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0051314E

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 87b0ec55f3cdf01ecdcbf0170f025b3bd1782a08a607d2e5f2d50353eb9ae2f5
Instruction ID: 2e44d64593e3ac06e3c001d16dcfa6b478f94b00ec6f1aa0d4b352e3687bc47e
Opcode Fuzzy Hash: 87b0ec55f3cdf01ecdcbf0170f025b3bd1782a08a607d2e5f2d50353eb9ae2f5
Instruction Fuzzy Hash: D2F0A7709003449FEB52DB24DC897D97FBCB705708F0000E5A18896181DB7047CCCF55

Function 00512DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00512DC4

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 1caff749c3c295e75cceea02674f4a6ab957183f92078c586c7744f08f545cca
Instruction ID: af6bb60d88b20b4a14c9e3f61be18ee2463dd605261ee7774c41c0eb110563f5
Opcode Fuzzy Hash: 1caff749c3c295e75cceea02674f4a6ab957183f92078c586c7744f08f545cca
Instruction Fuzzy Hash: B9E0CD766041245BC71092589C09FEA7BDDEFC8790F050071FD09D7248DA60AD848550

Function 00512B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00513837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00513908

Part of subcall function 0051D730: GetInputState.USER32 ref: 0051D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00512B6B

Part of subcall function 005130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0051314E

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: be89c227c4e0883328b459421ed61efdf47b788cea86a10d855fd3cb58fd9110
Instruction ID: 9e774b8ef3a567c51a5a47a9b086c4ec7cdf331ecb298829a5f51daef80eac61
Opcode Fuzzy Hash: be89c227c4e0883328b459421ed61efdf47b788cea86a10d855fd3cb58fd9110
Instruction Fuzzy Hash: D3E0863130424617EB08BB75A86A5EDBF99BBE5351F40153EF182472A2CF658AC98352

Function 0055039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00550704,?,?,00000000,?,00550704,00000000,0000000C), ref: 005503B7

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 54f1aac22010cd729c72b798458b2d50dd5650f05d8a71586cfef900dec2cc58
Instruction ID: e3fdca1bd9b971a046894b3aa3ac286079517264a556a7e70bb7ea0c106ed27b
Opcode Fuzzy Hash: 54f1aac22010cd729c72b798458b2d50dd5650f05d8a71586cfef900dec2cc58
Instruction Fuzzy Hash: 8AD06C3214010DBBDF028F84DD06EDA3FAAFB48714F014000BE1856020C736E821EB90

Function 00511CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00511CBC

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 47ad4b8e05770eede9ba130daf9b36dba2778459329f13e8e9734d64e9f979a1
Instruction ID: c4d423dec8d936809a059062ce4fa6cb68b61af6229407aa99593c5eb325b763
Opcode Fuzzy Hash: 47ad4b8e05770eede9ba130daf9b36dba2778459329f13e8e9734d64e9f979a1
Instruction Fuzzy Hash: 96C09B352803449FF3184780BD8AF107754A36CB01F444401F6895D5E3C7B11814FA54

Non-executed Functions

Function 005A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 005A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 005A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005A96C9
SendMessageW.USER32 ref: 005A96F2
GetKeyState.USER32(00000011), ref: 005A978B
GetKeyState.USER32(00000009), ref: 005A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005A97AE
GetKeyState.USER32(00000010), ref: 005A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005A97E9
SendMessageW.USER32 ref: 005A9810
SendMessageW.USER32(?,00001030,?,005A7E95), ref: 005A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 005A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005A9941
SetCapture.USER32(?), ref: 005A994A
ClientToScreen.USER32(?,?), ref: 005A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005A99D6
ReleaseCapture.USER32 ref: 005A99E1
GetCursorPos.USER32(?), ref: 005A9A19
ScreenToClient.USER32(?,?), ref: 005A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 005A9A80
SendMessageW.USER32 ref: 005A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 005A9AEB
SendMessageW.USER32 ref: 005A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 005A9B4A
GetCursorPos.USER32(?), ref: 005A9B68
ScreenToClient.USER32(?,?), ref: 005A9B75
GetParent.USER32(?), ref: 005A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 005A9BFA
SendMessageW.USER32 ref: 005A9C2B
ClientToScreen.USER32(?,?), ref: 005A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 005A9CDE
SendMessageW.USER32 ref: 005A9D01
ClientToScreen.USER32(?,?), ref: 005A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005A9D82

Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952

GetWindowLongW.USER32(?,000000F0), ref: 005A9E05

Strings

@GUI_DRAGID, xrefs: 005A997D
p#^, xrefs: 005A9990
F, xrefs: 005A9D07

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#^
API String ID: 3429851547-1742403966
Opcode ID: 508a200880fb2dcc4a96c1f3b3d0f8ba6faf4fc5b40d4db587102515b123718b
Instruction ID: 8b808e43fcf4666124bd06d5fd4d09a42a9fe7d8a9a0dbda268f7e4305b14c51
Opcode Fuzzy Hash: 508a200880fb2dcc4a96c1f3b3d0f8ba6faf4fc5b40d4db587102515b123718b
Instruction Fuzzy Hash: 8E427E34604251AFDB25CF28CC84AAEBFE5FF9A310F140A19F6998B2A1D731E854DF51

Function 005A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 005A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 005A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 005A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 005A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 005A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 005A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005A4A7E
IsMenu.USER32(?), ref: 005A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005A4B20
GetWindowLongW.USER32(?,000000F0), ref: 005A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 005A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 005A4C82
wsprintfW.USER32 ref: 005A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 005A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 005A4D5A

Strings

%d/%02d/%02d, xrefs: 005A4CA8

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 0c04b1048c40f5069846f9c1fc17b47e059fff40233b5c6134db9a5d24a40eae
Instruction ID: ff3a53fc80c8389ccc4f5d2e9e7ab0a3bb3ed87342e9b58df4dc6d93e7d984d5
Opcode Fuzzy Hash: 0c04b1048c40f5069846f9c1fc17b47e059fff40233b5c6134db9a5d24a40eae
Instruction Fuzzy Hash: 9312CC71600255ABEB258FA8DC49BAE7FF8BF86310F104529F516EB2E1DBB49940CF50

Function 0052F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0052F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0056F474
IsIconic.USER32(00000000), ref: 0056F47D
ShowWindow.USER32(00000000,00000009), ref: 0056F48A
SetForegroundWindow.USER32(00000000), ref: 0056F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0056F4AA
GetCurrentThreadId.KERNEL32 ref: 0056F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0056F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0056F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0056F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0056F4DE
SetForegroundWindow.USER32(00000000), ref: 0056F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F4F6
keybd_event.USER32(00000012,00000000), ref: 0056F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F50B
keybd_event.USER32(00000012,00000000), ref: 0056F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F519
keybd_event.USER32(00000012,00000000), ref: 0056F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F528
keybd_event.USER32(00000012,00000000), ref: 0056F52D
SetForegroundWindow.USER32(00000000), ref: 0056F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0056F557

Strings

Shell_TrayWnd, xrefs: 0056F46F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 99dcc326617ac6edcfe96143e748ccaf05a2417d214f9cd84eeb4c75766db03b
Instruction ID: 278717d20a80338e72325e7e96d7edf358076d615b21dfaf1c2bde6e3d2b49e1
Opcode Fuzzy Hash: 99dcc326617ac6edcfe96143e748ccaf05a2417d214f9cd84eeb4c75766db03b
Instruction Fuzzy Hash: 30311D71E40218BBEB216BB55C4AFBF7E6CEB59B50F100466FA01E71D1CAB15D00ABA0

Function 00571201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057170D
Part of subcall function 005716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0057173A
Part of subcall function 005716C3: GetLastError.KERNEL32 ref: 0057174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00571286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005712A8
CloseHandle.KERNEL32(?), ref: 005712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005712D1
GetProcessWindowStation.USER32 ref: 005712EA
SetProcessWindowStation.USER32(00000000), ref: 005712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00571310

Part of subcall function 005710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005711FC), ref: 005710D4
Part of subcall function 005710BF: CloseHandle.KERNEL32(?,?,005711FC), ref: 005710E9

Strings

default, xrefs: 0057130B
, xrefs: 0057125A
winsta0, xrefs: 005712CC
Z], xrefs: 00571392

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z]
API String ID: 22674027-3859823317
Opcode ID: cfa20db2f9aa0c81c2ad5fbc50ee5cc67b406882830cf36ebc7e918e5d04dd3d
Instruction ID: fcdd763ae2acfa499678418ae0f127607029247847ce67abfbfdbfc937ca58c6
Opcode Fuzzy Hash: cfa20db2f9aa0c81c2ad5fbc50ee5cc67b406882830cf36ebc7e918e5d04dd3d
Instruction Fuzzy Hash: 4881AF71900609AFDF219FA8EC49FEE7FBAFF05700F148129F918A61A0D7318944EB64

Function 00570B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00571114
Part of subcall function 005710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571120
Part of subcall function 005710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 0057112F
Part of subcall function 005710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571136
Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0057114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00570BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00570C00
GetLengthSid.ADVAPI32(?), ref: 00570C17
GetAce.ADVAPI32(?,00000000,?), ref: 00570C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00570C6D
GetLengthSid.ADVAPI32(?), ref: 00570C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00570C8C
HeapAlloc.KERNEL32(00000000), ref: 00570C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00570CB4
CopySid.ADVAPI32(00000000), ref: 00570CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00570CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00570D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00570D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570D45
HeapFree.KERNEL32(00000000), ref: 00570D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570D55
HeapFree.KERNEL32(00000000), ref: 00570D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570D65
HeapFree.KERNEL32(00000000), ref: 00570D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00570D78
HeapFree.KERNEL32(00000000), ref: 00570D7F

Part of subcall function 00571193: GetProcessHeap.KERNEL32(00000008,00570BB1,?,00000000,?,00570BB1,?), ref: 005711A1
Part of subcall function 00571193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00570BB1,?), ref: 005711A8
Part of subcall function 00571193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00570BB1,?), ref: 005711B7

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 77b9a56704e2ddca1891660ce72c81f3d1bf958924dd6dd603c3fa942a30b92a
Instruction ID: beedb129fadc94d7be722a950c97dc8b2c039ac6c1c8008448bc0a75d78e36c9
Opcode Fuzzy Hash: 77b9a56704e2ddca1891660ce72c81f3d1bf958924dd6dd603c3fa942a30b92a
Instruction Fuzzy Hash: F4713C71A0020AEBDF10DFA5EC48FAEBFB8BF15310F148515E919A7291D771A905EB60

Function 0058EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(005ACC08), ref: 0058EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0058EB37
GetClipboardData.USER32(0000000D), ref: 0058EB43
CloseClipboard.USER32 ref: 0058EB4F
GlobalLock.KERNEL32(00000000), ref: 0058EB87
CloseClipboard.USER32 ref: 0058EB91
GlobalUnlock.KERNEL32(00000000), ref: 0058EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0058EBC9
GetClipboardData.USER32(00000001), ref: 0058EBD1
GlobalLock.KERNEL32(00000000), ref: 0058EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0058EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0058EC38
GetClipboardData.USER32(0000000F), ref: 0058EC44
GlobalLock.KERNEL32(00000000), ref: 0058EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0058EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0058EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0058ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0058ECF3
CountClipboardFormats.USER32 ref: 0058ED14
CloseClipboard.USER32 ref: 0058ED59

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9f0b9efbb33bc0988138c330b50c787ea237afe7d4e7eb8efb686105dd8d5992
Instruction ID: 0a8b4eff1b4c06f5b63da2787e81935f4f73e1d3a40baabb761e3da65b3ec795
Opcode Fuzzy Hash: 9f0b9efbb33bc0988138c330b50c787ea237afe7d4e7eb8efb686105dd8d5992
Instruction Fuzzy Hash: 5661BF34204202AFD300EF24D89AF6ABFB4BF95714F14451DF896A72A2DB31DD49DB62

Function 0058698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005869BE
FindClose.KERNEL32(00000000), ref: 00586A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00586A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00586A75

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00586AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00586ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00586B6A
%02d, xrefs: 00586C00, 00586C0A, 00586C5A, 00586CAA, 00586CFA, 00586D4A
%4d, xrefs: 00586BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00586B32
%03d, xrefs: 00586DA2

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 941213a7484778ab32e6477e783abb961878883097c990a1b8d03eaa8b0e5402
Instruction ID: 6f7dfe815ac6d371e7caf7b60cfe1a6e556da292a00cf721f621d7a26a54f650
Opcode Fuzzy Hash: 941213a7484778ab32e6477e783abb961878883097c990a1b8d03eaa8b0e5402
Instruction Fuzzy Hash: ECD15F72508301AED314EBA4D895EAFBBECBF88704F04491DF985D7291EB34DA44CB62

Function 00589642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00589663
GetFileAttributesW.KERNEL32(?), ref: 005896A1
SetFileAttributesW.KERNEL32(?,?), ref: 005896BB
FindNextFileW.KERNEL32(00000000,?), ref: 005896D3
FindClose.KERNEL32(00000000), ref: 005896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0058974A
SetCurrentDirectoryW.KERNEL32(005D6B7C), ref: 00589768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00589772
FindClose.KERNEL32(00000000), ref: 0058977F
FindClose.KERNEL32(00000000), ref: 0058978F

Strings

*.*, xrefs: 005896F5

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 3e2b08dc0ec6f1249e52e93c13f7404d6bfc605f81c451f1b10f59454175141a
Instruction ID: e06b54ad8eba499b6b8a4fe478946e26cd636b6fb4b98312bde7f07f89520740
Opcode Fuzzy Hash: 3e2b08dc0ec6f1249e52e93c13f7404d6bfc605f81c451f1b10f59454175141a
Instruction Fuzzy Hash: C531A03654021A6ADF24AFB5DC49AEE7FACFF4A320F184156F915F21A0EB30DE448B54

Function 0058979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 005897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00589819
FindClose.KERNEL32(00000000), ref: 00589824
FindFirstFileW.KERNEL32(*.*,?), ref: 00589840
SetCurrentDirectoryW.KERNEL32(?), ref: 00589890
SetCurrentDirectoryW.KERNEL32(005D6B7C), ref: 005898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005898B8
FindClose.KERNEL32(00000000), ref: 005898C5
FindClose.KERNEL32(00000000), ref: 005898D5

Part of subcall function 0057DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0057DB00

Strings

*.*, xrefs: 0058983B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: af2324613f000af4f34e0b339afbc49c4d921261e59c532d40635e96c8dd665d
Instruction ID: bd9c7d75efeca15d4609e96e3d13370477dbf0bc7207b4d0043f2a5b7b236691
Opcode Fuzzy Hash: af2324613f000af4f34e0b339afbc49c4d921261e59c532d40635e96c8dd665d
Instruction Fuzzy Hash: 5431B23150021A6AEF20BFA4EC48AEE7FACBF46324F184156E954B2190DB30DE498F60

Function 0059BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0059BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0059BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0059C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0059C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0059C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0059C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0059C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0059C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0059C382
RegCloseKey.ADVAPI32(00000000), ref: 0059C38F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: eae8f69349142d3cd5804ce407cb89e0f0217469f04ed1ff8fd1b16cc21e7b43
Instruction ID: 2c5b2b5bcfe71e4df36ba936dd4ff594d412014c7c1d8cc7b451444b97c19a2f
Opcode Fuzzy Hash: eae8f69349142d3cd5804ce407cb89e0f0217469f04ed1ff8fd1b16cc21e7b43
Instruction Fuzzy Hash: EC024C716042019FDB14DF28C895E2ABFE5BF89314F18889DF84ADB2A2D731ED45CB51

Function 00588195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00588257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00588267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00588273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00588310
SetCurrentDirectoryW.KERNEL32(?), ref: 00588324
SetCurrentDirectoryW.KERNEL32(?), ref: 00588356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0058838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00588395

Strings

*.*, xrefs: 0058839B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: d6cc8b3e27ef4d0c61ede0a983e01e97532d2a048b51cb7c252edefd544a757f
Instruction ID: 7c475f708cf66aeafc0f9aa510feada81e8ccd3ae88b66f64402f6417c7d0f99
Opcode Fuzzy Hash: d6cc8b3e27ef4d0c61ede0a983e01e97532d2a048b51cb7c252edefd544a757f
Instruction Fuzzy Hash: 47619E755043069FD710EF64C8459AEBBE9FF89310F448C1EF98993251EB31E945CB92

Function 0057D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2

Part of subcall function 0057E199: GetFileAttributesW.KERNEL32(?,0057CF95), ref: 0057E19A

FindFirstFileW.KERNEL32(?,?), ref: 0057D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0057D1DD
MoveFileW.KERNEL32(?,?), ref: 0057D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0057D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0057D237

Part of subcall function 0057D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0057D21C,?,?), ref: 0057D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0057D253
FindClose.KERNEL32(00000000), ref: 0057D264

Strings

\*.*, xrefs: 0057D0CD, 0057D0D6, 0057D0EB

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 981ac46e5a791924acc255902c2526183e3029e099f4aaf21512f0d6a05bafef
Instruction ID: abb67afadee84401edae6accc36a28799cbe7b2ee976bf676f5319ac9f69929a
Opcode Fuzzy Hash: 981ac46e5a791924acc255902c2526183e3029e099f4aaf21512f0d6a05bafef
Instruction Fuzzy Hash: B1617F3180110EAADF05EBE0D9569EDBFB5BF95300F648065E40677192EB316F49EB60

Function 0058ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0058ED91
EmptyClipboard.USER32 ref: 0058ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0058EDAC
CloseClipboard.USER32 ref: 0058EEA3

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 40d53d5340cc6b32305873e304a09ba6f718dcd2d885cd50c9533605a6c0aa24
Instruction ID: 2679c957e10afe80cde0d3453917f6397d87073afe060390bf164002e43e7b78
Opcode Fuzzy Hash: 40d53d5340cc6b32305873e304a09ba6f718dcd2d885cd50c9533605a6c0aa24
Instruction Fuzzy Hash: 8941CD35204611AFE320EF19D88AB19BFF5FF55318F14C499E8559B6A2C731EC46CB90

Function 0057E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057170D
Part of subcall function 005716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0057173A
Part of subcall function 005716C3: GetLastError.KERNEL32 ref: 0057174A

ExitWindowsEx.USER32(?,00000000), ref: 0057E932

Strings

@, xrefs: 0057E925
SeShutdownPrivilege, xrefs: 0057E902
, xrefs: 0057E920
, xrefs: 0057E95C

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: a99771954b857ff24358e4ebec0add295ba28f475951914c1b531091c3dc5599
Instruction ID: 3d8285020655f0a4da70bace973e2ded67ee0411d300582781ff7b42d04a9a9f
Opcode Fuzzy Hash: a99771954b857ff24358e4ebec0add295ba28f475951914c1b531091c3dc5599
Instruction Fuzzy Hash: 86012B33610311ABEB642678BC8BFBF7E5CB719740F148862FE07E21D1D6605C44A294

Function 00591204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00591276
WSAGetLastError.WSOCK32 ref: 00591283
bind.WSOCK32(00000000,?,00000010), ref: 005912BA
WSAGetLastError.WSOCK32 ref: 005912C5
closesocket.WSOCK32(00000000), ref: 005912F4
listen.WSOCK32(00000000,00000005), ref: 00591303
WSAGetLastError.WSOCK32 ref: 0059130D
closesocket.WSOCK32(00000000), ref: 0059133C

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 93cef969da796da19ceebe48d052bfd0765d33f128b678d9899cb982a21ae9fa
Instruction ID: 56d52344c05c3da122d081dace615ef2e542fafc9548844fce2655244f72d4ef
Opcode Fuzzy Hash: 93cef969da796da19ceebe48d052bfd0765d33f128b678d9899cb982a21ae9fa
Instruction Fuzzy Hash: F34190356005129FDB10EF24C488B69BFE6BF86318F188588E8568F2D2C775EC85CBE1

Function 0057D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2

Part of subcall function 0057E199: GetFileAttributesW.KERNEL32(?,0057CF95), ref: 0057E19A

FindFirstFileW.KERNEL32(?,?), ref: 0057D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0057D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0057D481
FindClose.KERNEL32(00000000), ref: 0057D498
FindClose.KERNEL32(00000000), ref: 0057D4A1

Strings

\*.*, xrefs: 0057D3F2

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f34b22bfdf773d1acf36d8306eb9f5f24247ba4289ec5df2495814359a51ab57
Instruction ID: 4492faea13b5ff97c31ade59f6912fc78f2ee5c62d5d3948ae735cf9f7e6cddb
Opcode Fuzzy Hash: f34b22bfdf773d1acf36d8306eb9f5f24247ba4289ec5df2495814359a51ab57
Instruction Fuzzy Hash: 2D315E710083429BD701EF64D8599EFBFF8BEE2310F448E1DF4D552191EB60AA49E762

Function 0054E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0054E645

Strings

1#SNAN, xrefs: 0054F844
1#IND, xrefs: 0054F83D
1#INF, xrefs: 0054F852
1#QNAN, xrefs: 0054F84B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2639705a19b7efbfbdc79290edc89de81fa9247dd7d632e2f70ab8793298c6b6
Instruction ID: d7c299d255602201832638ca2b45f1e9c501374821133afc9694ce96cd203bf3
Opcode Fuzzy Hash: 2639705a19b7efbfbdc79290edc89de81fa9247dd7d632e2f70ab8793298c6b6
Instruction Fuzzy Hash: 58C25A72E046298FDB25CE28DD457EABBB5FB84308F1445EAD44EE7241E774AE818F40

Function 0058648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005864DC
CoInitialize.OLE32(00000000), ref: 00586639
CoCreateInstance.OLE32(005AFCF8,00000000,00000001,005AFB68,?), ref: 00586650
CoUninitialize.OLE32 ref: 005868D4

Strings

.lnk, xrefs: 005864BA, 00586524, 005865E0

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: bbe80efea17fbf0fbc6bb42756f05901a670b9b3a31076152137757bb55c23c2
Instruction ID: 5766b7b8f55e185325d770d0756ba79b2c9bba50ec100200c57fc73ef7d1915b
Opcode Fuzzy Hash: bbe80efea17fbf0fbc6bb42756f05901a670b9b3a31076152137757bb55c23c2
Instruction Fuzzy Hash: C2D15871508202AFD314EF24C8959ABBBE8FFD8304F40496DF5959B291EB31ED46CB92

Function 005922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005922E8

Part of subcall function 0058E4EC: GetWindowRect.USER32(?,?), ref: 0058E504

GetDesktopWindow.USER32 ref: 00592312
GetWindowRect.USER32(00000000), ref: 00592319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00592355
GetCursorPos.USER32(?), ref: 00592381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005923DF

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9d1260637b44cc3da4d6eabc3b645c9e0f00466f70fff01a2ab47522f6a789d8
Instruction ID: ab8ac46f56834affceed31e8a00d84c1667fcb0944549a94fd558a1e514ce4f2
Opcode Fuzzy Hash: 9d1260637b44cc3da4d6eabc3b645c9e0f00466f70fff01a2ab47522f6a789d8
Instruction Fuzzy Hash: A231DE72505316AFCB20DF14D849B5BBBE9FF89310F000919F98997191DB34EA08CB92

Function 00589B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00589B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00589C8B

Part of subcall function 00583874: GetInputState.USER32 ref: 005838CB
Part of subcall function 00583874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00583966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00589BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00589C75

Strings

*.*, xrefs: 00589B5D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: cd9f255d80474b86fe1570301180a13b01a275f20cd8a6e1a37f75b96a972c19
Instruction ID: 07fbb771b0ffd4c3c3a9af82df8d12deabb020f8fa5dcd6892961e74eb99cc67
Opcode Fuzzy Hash: cd9f255d80474b86fe1570301180a13b01a275f20cd8a6e1a37f75b96a972c19
Instruction Fuzzy Hash: 9341827190420AAFDF15EFA4C899AEEBFB4FF45310F244456E815B2191EB319E84CF60

Function 0052997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00529A4E
GetSysColor.USER32(0000000F), ref: 00529B23
SetBkColor.GDI32(?,00000000), ref: 00529B36

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: cfc1820b6075d2964fb69c04e2e07312443c4ce03a80680f2c5169791115175b
Instruction ID: ac4656bfb01e6cd28b69ffb343ad604e2269c08c0de2d28f6bac8cdb54a34805
Opcode Fuzzy Hash: cfc1820b6075d2964fb69c04e2e07312443c4ce03a80680f2c5169791115175b
Instruction Fuzzy Hash: 5AA1F770108668AEE728AA2CAC9CE7F2E9DFF8B354F140609F502D77D1CB259D41D276

Function 00591806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0059304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0059307A
Part of subcall function 0059304E: _wcslen.LIBCMT ref: 0059309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0059185D
WSAGetLastError.WSOCK32 ref: 00591884
bind.WSOCK32(00000000,?,00000010), ref: 005918DB
WSAGetLastError.WSOCK32 ref: 005918E6
closesocket.WSOCK32(00000000), ref: 00591915

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: d168676fb91f24ff3471d8d8bbbccabc734be448441b8c89ff6f3f23ac591d02
Instruction ID: 05880092055b06d605d49a7d571dcc5d2f2ce00b9ed365500872198dffedfaf6
Opcode Fuzzy Hash: d168676fb91f24ff3471d8d8bbbccabc734be448441b8c89ff6f3f23ac591d02
Instruction Fuzzy Hash: 9451B275A002119FEB10AF24C88AF6A7FE5BF85718F048458F9165F3C3D771AD418BA1

Function 005A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005A1CC0
IsWindowEnabled.USER32 ref: 005A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 005A1CDB
IsIconic.USER32 ref: 005A1CE9
IsZoomed.USER32 ref: 005A1CF7

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b469fcc648145d2b52dc5432de62c34b3b2abcf9c8e2eeb290e155a30e72acab
Instruction ID: f34e508edbbdb1eaaefda7c8993fd17b0bf63b156bacadfb7320719a1a8a5ba5
Opcode Fuzzy Hash: b469fcc648145d2b52dc5432de62c34b3b2abcf9c8e2eeb290e155a30e72acab
Instruction Fuzzy Hash: 1C218331740A115FE7208F2AC854B6E7FE5FF96325F198068E8468B351CB71DC46CB98

Function 00518060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0051843C
ERCP, xrefs: 0051813C
VUUU, xrefs: 005183E8
VUUU, xrefs: 00555DF0
VUUU, xrefs: 005183FA

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 3d285605b9d2a835d8779eebecf449feb85882a3e5919315a1bb755c2c2b8fea
Instruction ID: 8874fc9844aae64ebedaa98193ed84187a1ffb264a53b44f0b5359c1225db84e
Opcode Fuzzy Hash: 3d285605b9d2a835d8779eebecf449feb85882a3e5919315a1bb755c2c2b8fea
Instruction Fuzzy Hash: F8A26A74A0061ACBEF348F58C8A47FDBBB1BB54311F6485AAD815A7281EB709D85CB90

Function 00578298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005782AA

Strings

(, xrefs: 005782F0
tb], xrefs: 005784F4
|, xrefs: 005782DA

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb]$|
API String ID: 1659193697-2890004336
Opcode ID: d2dccfe8ccd06187e64653e1d08d85b8d376eb5b0dad65fc02501434a6169362
Instruction ID: 5acc7c38a10b7b2a8190d46f6875fdd5a946307441f06f886ed1275ad3df5567
Opcode Fuzzy Hash: d2dccfe8ccd06187e64653e1d08d85b8d376eb5b0dad65fc02501434a6169362
Instruction Fuzzy Hash: B2323574A006059FCB28CF59D485A6ABBF0FF48710B15C96EE49ADB7A1EB70E941CB40

Function 0057AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0057AAAC
SetKeyboardState.USER32(00000080), ref: 0057AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0057AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0057AB88

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a7b9e625ec7f833e5aca24eb455cca2744b0684910cfdf10f673c823141e59c6
Instruction ID: 203444b62a6dd7f5777a18ed7777f30a5a573b2bb8ea35d84a609d72279fbf84
Opcode Fuzzy Hash: a7b9e625ec7f833e5aca24eb455cca2744b0684910cfdf10f673c823141e59c6
Instruction Fuzzy Hash: A8311530A40208AEFB25CA64E805BFE7FAABBC5310F04C21AF58D561D0D7748985E7A2

Function 0054BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0054BB7F

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

GetTimeZoneInformation.KERNEL32 ref: 0054BB91
WideCharToMultiByte.KERNEL32(00000000,?,005E121C,000000FF,?,0000003F,?,?), ref: 0054BC09
WideCharToMultiByte.KERNEL32(00000000,?,005E1270,000000FF,?,0000003F,?,?,?,005E121C,000000FF,?,0000003F,?,?), ref: 0054BC36

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 274848e7ae58009c6dd8762aecac3f63ca2c6028b9395b4ef5b57a5dc1ee8ffd
Instruction ID: dd9fdd6df58cb5e01f6c69140bd721f6b0eb12806f06c95152f79d0a78499e8c
Opcode Fuzzy Hash: 274848e7ae58009c6dd8762aecac3f63ca2c6028b9395b4ef5b57a5dc1ee8ffd
Instruction Fuzzy Hash: 9A31EF30904246DFDB08DF6ACCC08ADBFB8FF5631471446AAE190DB2A1C7309E45EB50

Function 0058CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0058CE89
GetLastError.KERNEL32(?,00000000), ref: 0058CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0058CEFE

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 1af3c0899514d57734c9cb63f95676ed35028d830c355d1843ef6a41a15f8789
Instruction ID: 717ba3dc2f06fa270d90f1c0f6ecd6b7908c38c7464b4538ed53b1bc01d854b1
Opcode Fuzzy Hash: 1af3c0899514d57734c9cb63f95676ed35028d830c355d1843ef6a41a15f8789
Instruction Fuzzy Hash: 7521B0715003059BE731EF65D949BA67FFCFB51314F10481EEA46E2151E774ED089B60

Function 00585C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00585CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00585D17
FindClose.KERNEL32(?), ref: 00585D5F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 79b0d09b92e178131098571a6b97c929de154670db76545494c35672081107c8
Instruction ID: 134cebc8f3110ba2196c20fb66a251dfaa7e2fd0af79521c5f21ed227a080329
Opcode Fuzzy Hash: 79b0d09b92e178131098571a6b97c929de154670db76545494c35672081107c8
Instruction Fuzzy Hash: 8351CC346046029FC714DF28C488E9ABBE4FF49314F14855EE99A8B3A2EB30ED44CF91

Function 00542622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0054271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00542724
UnhandledExceptionFilter.KERNEL32(?), ref: 00542731

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: afa0bad793a59e7ef57cef759c7177a981d01b9904b6c01d6fc933f25c2b7c4e
Instruction ID: a7e356534833ece82dee2b925e8f95037e498253b70cb1e6148de0dc3a26d460
Opcode Fuzzy Hash: afa0bad793a59e7ef57cef759c7177a981d01b9904b6c01d6fc933f25c2b7c4e
Instruction Fuzzy Hash: EA31C27490122DABCB21DF68DD887DCBBB8BF18310F5041EAE80CA6260E7309F859F44

Function 005851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00585238
SetErrorMode.KERNEL32(00000000), ref: 005852A1

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 302896f6692914c909f31026dc2ae98f794663d7dc9fff567ab0d280a3bf993f
Instruction ID: ccff98b3a51e8eda4305d98c6f91e0c6c59991862f3bc10c31d27e16c8ec55a6
Opcode Fuzzy Hash: 302896f6692914c909f31026dc2ae98f794663d7dc9fff567ab0d280a3bf993f
Instruction Fuzzy Hash: EC312C75A00619DFDB00EF54D888EADBFB5FF49314F048099E805AB362DB31E85ACB90

Function 005716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0052FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00530668
Part of subcall function 0052FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00530685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0057173A
GetLastError.KERNEL32 ref: 0057174A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 268f155e4c234fe2b6824220a25d3d7e0924c6bc417fc0e4814b7664d9f40f59
Instruction ID: de28525dfd52e3a4012d6f38bbe328d96869c7069b90e1cfbbb5f54c633fd75f
Opcode Fuzzy Hash: 268f155e4c234fe2b6824220a25d3d7e0924c6bc417fc0e4814b7664d9f40f59
Instruction Fuzzy Hash: 5911CEB2400305AFD718AF58EC8AD6ABBBDFF45714B20C52EE05A57281EB70BC419B24

Function 0057D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0057D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0057D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0057D650

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c8c7cfe43975fe371337c872d3ecfa002b006c502362fbed1bf106f54566f85b
Instruction ID: 97260a61659f020e052c7f1a407080e120ad8ae6da29ee8d527df9d05606bc67
Opcode Fuzzy Hash: c8c7cfe43975fe371337c872d3ecfa002b006c502362fbed1bf106f54566f85b
Instruction Fuzzy Hash: C2115E75E05228BFDB108F95EC45FAFBFBCEB45B50F108156F908E7290D6704A059BA1

Function 00571663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0057168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005716A1
FreeSid.ADVAPI32(?), ref: 005716B1

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 94809f7e001e4ed01662eaaf9c3d4e79071f6493883b96a9ddbf9ebd256bffaa
Instruction ID: 176b2a6727dfe6d7a91da12daf738ecc5d2fe21a0fde1488a30f27f53cf86fe0
Opcode Fuzzy Hash: 94809f7e001e4ed01662eaaf9c3d4e79071f6493883b96a9ddbf9ebd256bffaa
Instruction Fuzzy Hash: 89F0F47195030DFBDB00DFE49D89AAEBBBCFB08604F508565E501E2181E774AA489A54

Function 0056D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0056D28C

Strings

X64, xrefs: 0056D2A8

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2f228e23243c86e7b0a3d14bb8becef993a5380fd53c8a845864ef320cfb6577
Instruction ID: 34cacf5799088c056a9b5001acc38c10fcd8f24555b7ad87b395c2364a787781
Opcode Fuzzy Hash: 2f228e23243c86e7b0a3d14bb8becef993a5380fd53c8a845864ef320cfb6577
Instruction Fuzzy Hash: 84D0CAB880116DEACB94CBA0EC8CDDEBBBCBB15305F100A92F506A2040EB3496489F20

Function 0053CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: fcaf572f7ff181801ed2caa820e665f338e686476372e5d8e27cefae35fad23e
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: E8020B72E002199BDF14CFA9C8906ADBFF5FF88314F25816AD819FB285D731AD418B94

Function 0051CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00560C40
p#^, xrefs: 0051CF7F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#^
API String ID: 0-3707816926
Opcode ID: 5c2919906132e98298bd135c688006b3cb8e7eb8045be21aa25c449b8d9b0fe3
Instruction ID: 2807d7fc1836201bd9873582010fc7f00350088419aac3f565dcc528cbf25a3d
Opcode Fuzzy Hash: 5c2919906132e98298bd135c688006b3cb8e7eb8045be21aa25c449b8d9b0fe3
Instruction Fuzzy Hash: 1C32C030940219DFEF14DF90D885AEEBFB9FF45304F108459E806AB292D736AD86CB60

Function 005868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00586918
FindClose.KERNEL32(00000000), ref: 00586961

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e6c2e0ca8263addc36a6ca751e9337bcb197e074e1814221ff7d3751d7a85301
Instruction ID: 92dfe15808c49cd0ccfba3780411d71d20029e8ed3f7a5579bcaf8d9de36e887
Opcode Fuzzy Hash: e6c2e0ca8263addc36a6ca751e9337bcb197e074e1814221ff7d3751d7a85301
Instruction Fuzzy Hash: D71190356042019FD710DF29D489A16BFE5FF89328F14C699E8699F7A2CB30EC45CB91

Function 005837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00594891,?,?,00000035,?), ref: 005837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00594891,?,?,00000035,?), ref: 005837F4

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5d17485d37c43069677baa574a1c4a16a3a15347ea22a6834d119a8776dc343d
Instruction ID: a6f8d38a89109b4b3722f9ac3bc4949022bce98d14447c11d8e8f71cdf397620
Opcode Fuzzy Hash: 5d17485d37c43069677baa574a1c4a16a3a15347ea22a6834d119a8776dc343d
Instruction Fuzzy Hash: 7DF0EC706042152AE71067654C4DFDB3F9DFFC5B61F000175F905E2281D9609D48C7B0

Function 0057B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0057B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0057B270

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d6c9a3098517764197ed367059a9a3fc2298711e6847290b8a8b1457c0d377f6
Instruction ID: fa89f0b1796bb0ab1996e96e381df4b7cf9068d0bd5d1a0053f1d3c435a53079
Opcode Fuzzy Hash: d6c9a3098517764197ed367059a9a3fc2298711e6847290b8a8b1457c0d377f6
Instruction Fuzzy Hash: 8CF01D7580424DABEB059FA0D805BBE7FB4FF09309F008409F955A5192C3798615AF94

Function 005710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005711FC), ref: 005710D4
CloseHandle.KERNEL32(?,?,005711FC), ref: 005710E9

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b71e833ee5e7f328f20a3935f52b822c6ae686643d819bcbc8cb8507f77ef99b
Instruction ID: a9e1315f29f48ef04729aaa2af4eb85710bee989828662f9d1c3b48f999a4b77
Opcode Fuzzy Hash: b71e833ee5e7f328f20a3935f52b822c6ae686643d819bcbc8cb8507f77ef99b
Instruction Fuzzy Hash: 52E04F32004611AFE7252B11FC09E777FA9FF05310B10882EF4A6804B1DB626C90EB14

Function 0054676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00546766,?,?,00000008,?,?,0054FEFE,00000000), ref: 00546998

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3357750c0ab2e6af0b31174f06c12230542f54d63663b26414352bf51180f7f7
Instruction ID: e93db8e4fcc023ba353d75c78951ea72e99b9ec9bab419e8e81d22aa8d84caec
Opcode Fuzzy Hash: 3357750c0ab2e6af0b31174f06c12230542f54d63663b26414352bf51180f7f7
Instruction Fuzzy Hash: 22B15B31610609DFD719CF28C48ABA57FE0FF46368F258658E899CF2A2C335E991CB41

Function 0052B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0056851F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c29aeaa10a3b8757eb0b3a25c3dba397e8bdc29f2395b5372918fb1970a2307d
Instruction ID: 5c5ea13b49c66f16d1b63a57e8fba0a420e47a1751b90403a6d7de34746e4853
Opcode Fuzzy Hash: c29aeaa10a3b8757eb0b3a25c3dba397e8bdc29f2395b5372918fb1970a2307d
Instruction Fuzzy Hash: 06126F75A002299BDF14DF58D8806FEBBF5FF59310F14859AE849EB291DB309E81CB90

Function 0058EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0058EABD

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 29d3f5c5edae03487e1152dba985bcaef45ea37853529fdc6d3b2e9f4fc4aa5f
Instruction ID: e0f9a164f958f0ca17671cc39ec2c663608b09c8ba1b3d21dd89983a255078c8
Opcode Fuzzy Hash: 29d3f5c5edae03487e1152dba985bcaef45ea37853529fdc6d3b2e9f4fc4aa5f
Instruction Fuzzy Hash: EAE01A312002059FE710EF59D809E9ABFE9BF99760F008416FC49D7351DA70E8818B90

Function 005309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005303EE), ref: 005309DA

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b3f36f544b99d9c6b1559afa8afdcb790843ca92c1cb2ad20033261c2e6b4bd1
Instruction ID: 6731236b3270fc932bb6af9d12ce81b37ddfd2a7c636efd81943a63c572f10a7
Opcode Fuzzy Hash: b3f36f544b99d9c6b1559afa8afdcb790843ca92c1cb2ad20033261c2e6b4bd1
Instruction Fuzzy Hash:

Function 0053781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0053798B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: c72c856620d185eec990f30792e31fc344d2dd9885a31418fd5a459ee12330fe
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: EF516CF2E0C74E6BDB384568485E7BEAFC5BB5E340F180A49E982D7382C615DE01D355

Function 00582046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&^, xrefs: 00582053

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: 0&^
API String ID: 0-2485633877
Opcode ID: 5af71e68612727b4e5fa3f6dbadaf52ecfd76c5220cf684b171f7574932750c1
Instruction ID: efdc774adaccca72eb9060afdade9a38d72b28871f9316ceea658329a6bf2281
Opcode Fuzzy Hash: 5af71e68612727b4e5fa3f6dbadaf52ecfd76c5220cf684b171f7574932750c1
Instruction Fuzzy Hash: DE21D5326206518BDB2CCE79C82767A77E9B7A4310F14862EE4A7D73D0DE75A904DB80

Function 00546DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00957ae74aa333ff8c3dc43abd3739c771e98fcd8703cc6cbd7d3cb4f14d8e05
Instruction ID: 538f5619cd2a7d3531932885f1cc1bcf4285ae1ba0609ecf9c2ad259a2c2a61d
Opcode Fuzzy Hash: 00957ae74aa333ff8c3dc43abd3739c771e98fcd8703cc6cbd7d3cb4f14d8e05
Instruction Fuzzy Hash: 28324431D28F054EDB639634C8223756A8DAFBB3C9F15C737E81AB59A6EB28D4835100

Function 0052CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26b292e18e9a31aba765d270f4dac030bdf9532f4e90805d650d0f913a44ca5
Instruction ID: b4b2b6670b6a46d1a79ee37a0e1aa948a2e83be6d24b152ad9c1740506fc0e11
Opcode Fuzzy Hash: c26b292e18e9a31aba765d270f4dac030bdf9532f4e90805d650d0f913a44ca5
Instruction Fuzzy Hash: 1132F232A001658BDF28CE69D89467D7FA1FF46300F28856BD4EADB792D630DE81DB41

Function 00517920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc1533485a4c2fd750e087535616ecf4d5019415d79d3031f2614d04daca0d
Instruction ID: 96dd3358aa9fc646125892e4841828c2d94547bf540d9603fff657cf00a5c39a
Opcode Fuzzy Hash: eecc1533485a4c2fd750e087535616ecf4d5019415d79d3031f2614d04daca0d
Instruction Fuzzy Hash: 5A22B270A0460ADFEF14CF68D865AEEBBB5FF48301F10452AE816A7291FB35AD54CB50

Function 005191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d770ef0d9a7176a2467d92ad6cdde11272bfe1d777bf8cdb7839571a0c374b85
Instruction ID: 569ac9444a55ac1755b9f3dd5d1498b080e8181ff17d1e372d27061967790070
Opcode Fuzzy Hash: d770ef0d9a7176a2467d92ad6cdde11272bfe1d777bf8cdb7839571a0c374b85
Instruction Fuzzy Hash: 5E02E8B1E00206EBDB05DF64D896AADBFB5FF44300F11856AE816DB291E731EE54CB81

Function 00549EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d3c448c2e139b22669b5166a571d3b3392011c7eb69f44aa409d58a05b9351
Instruction ID: 43689ecb61664e5e97fa1c94646beb450a6b8f5327d9f42c02463b4ded8d3e6b
Opcode Fuzzy Hash: c6d3c448c2e139b22669b5166a571d3b3392011c7eb69f44aa409d58a05b9351
Instruction Fuzzy Hash: 39B1F120D2AF404DD36396398831337BA8CAFBB2C5F91DB1BFC1674D22EB2295879140

Function 00531C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 776d4bfb39ffbb146dbfbe42a2817ca310806dc6a39976d7a32dd73c1ccdbdd8
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C99178732084A34ADB69463E857407EFFE17A923A1B1A0B9DD4F2CB1C5FE24C954E724

Function 00531F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 21dd7a12f8bab4f36f37a557ca2ede4b7b7922c3b09308ea03b2df29e2c0caf0
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 9B916A732098A349D76D423D857803DFFE16A923A1F1A079DD4F2CB1C5EE24D568D624

Function 005319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 7b77afa1755ae17b678c8bd0505fc09574663a2bd1a061a7bc7b46bc2d8ed6bc
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: AF9145732098E34EDB2D467A857403EFFE16A923A2B1A079DD4F2CB1C1FE14C964D624

Function 00537A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3209de6a0479d8c7121cce61d4ff15b729cf2cde7c9c6418e444edb62aa39ce3
Instruction ID: 50b5a69be44266dd7199e9a4bae3124cc82c5a7c218cc410244de98d72f1e9bc
Opcode Fuzzy Hash: 3209de6a0479d8c7121cce61d4ff15b729cf2cde7c9c6418e444edb62aa39ce3
Instruction Fuzzy Hash: 2F612AF1E0874E66DA785A2849B5BBEAFA4FF8D700F140D19F843DB281E6119E41C355

Function 00537CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d23281aacfac0db8e7e6f601fe87771f226220c8713d3e1c89d8b957484ce0d
Instruction ID: 7d8ec3ef7723152945fb120f14bb6e29f03ec609e5954a80949da84eca23569d
Opcode Fuzzy Hash: 1d23281aacfac0db8e7e6f601fe87771f226220c8713d3e1c89d8b957484ce0d
Instruction Fuzzy Hash: 0A6159F1E0870E66DE389A388895BBE2F98FF8E700F540D59F943DB281DA129D42D255

Function 00531706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 9127fcd35deeb4ff7a40335f90b528e0281608f6d0aa8d038872b92310812c53
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E98188336094A34DDB6D863A853453EFFE17A923A1B1E079DD4F2CB1C1EE24C554D628

Function 00592ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00592B30
DeleteObject.GDI32(00000000), ref: 00592B43
DestroyWindow.USER32 ref: 00592B52
GetDesktopWindow.USER32 ref: 00592B6D
GetWindowRect.USER32(00000000), ref: 00592B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00592CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00592CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592CF8
GetClientRect.USER32(00000000,?), ref: 00592D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00592D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D80
GlobalLock.KERNEL32(00000000), ref: 00592D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D98
GlobalUnlock.KERNEL32(00000000), ref: 00592DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592DA8
GlobalFree.KERNEL32(00000000), ref: 00592DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,005AFC38,00000000), ref: 00592DDB
GlobalFree.KERNEL32(00000000), ref: 00592DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00592E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00592E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0059303F

Strings

AutoIt v3, xrefs: 00592CF2
DISPLAY, xrefs: 00592EA2
, xrefs: 00592FC5
static, xrefs: 00592D3A, 00592E91

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a0d8ee3343bf5e662cf8efd1b1dad136db9ec5ae20eea3d995f91820ea175789
Instruction ID: a658e8566bcbc5b811fbe4d2704be4992c5475ad60fac345de20c93da84dea2f
Opcode Fuzzy Hash: a0d8ee3343bf5e662cf8efd1b1dad136db9ec5ae20eea3d995f91820ea175789
Instruction Fuzzy Hash: 75027A71A00209AFDB14DF68CC89EAE7FB9FF49310F008558F915AB2A1DB74AD45DB60

Function 005A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 005A712F
GetSysColorBrush.USER32(0000000F), ref: 005A7160
GetSysColor.USER32(0000000F), ref: 005A716C
SetBkColor.GDI32(?,000000FF), ref: 005A7186
SelectObject.GDI32(?,?), ref: 005A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 005A71C0
GetSysColor.USER32(00000010), ref: 005A71C8
CreateSolidBrush.GDI32(00000000), ref: 005A71CF
FrameRect.USER32(?,?,00000000), ref: 005A71DE
DeleteObject.GDI32(00000000), ref: 005A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 005A7230
FillRect.USER32(?,?,?), ref: 005A7262
GetWindowLongW.USER32(?,000000F0), ref: 005A7284

Part of subcall function 005A73E8: GetSysColor.USER32(00000012), ref: 005A7421
Part of subcall function 005A73E8: SetTextColor.GDI32(?,?), ref: 005A7425
Part of subcall function 005A73E8: GetSysColorBrush.USER32(0000000F), ref: 005A743B
Part of subcall function 005A73E8: GetSysColor.USER32(0000000F), ref: 005A7446
Part of subcall function 005A73E8: GetSysColor.USER32(00000011), ref: 005A7463
Part of subcall function 005A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005A7471
Part of subcall function 005A73E8: SelectObject.GDI32(?,00000000), ref: 005A7482
Part of subcall function 005A73E8: SetBkColor.GDI32(?,00000000), ref: 005A748B
Part of subcall function 005A73E8: SelectObject.GDI32(?,?), ref: 005A7498
Part of subcall function 005A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005A74B7
Part of subcall function 005A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005A74CE
Part of subcall function 005A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005A74DB

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 7d2662fc6c75d5dbd695689becbd05c487dc761a8db31f03dbda7c2543cb19fb
Instruction ID: 9e0bcbd9bb9c35c7f9045a8e5b9d3a3e4844c77660121f3b47190b4ba9668048
Opcode Fuzzy Hash: 7d2662fc6c75d5dbd695689becbd05c487dc761a8db31f03dbda7c2543cb19fb
Instruction Fuzzy Hash: 96A19C72508305AFDB009F60DC48A6FBFE9FF9E320F100A19FA62961A1D730E948DB51

Function 00528D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00528E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00566AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00566AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00566F43

Part of subcall function 00528F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00528BE8,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 00528FC5

SendMessageW.USER32(?,00001053), ref: 00566F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00566F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00566FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00566FB7

Strings

0, xrefs: 00566DCF

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: c86afaa39f83b6e2f73581394125333b95f84c4efadbc434a888d0b833933765
Instruction ID: f4de8b26466931e39962bd73c3442262321286c3043d3a9156dd4324a2c4ea55
Opcode Fuzzy Hash: c86afaa39f83b6e2f73581394125333b95f84c4efadbc434a888d0b833933765
Instruction Fuzzy Hash: 0C129B30601651EFDB25CF14D888BBABFE9FF5A300F144569E485CB2A2CB32AC55DB91

Function 00592711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0059273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0059286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00592900
GetClientRect.USER32(00000000,?), ref: 0059290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00592955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00592964
GetStockObject.GDI32(00000011), ref: 00592974
SelectObject.GDI32(00000000,00000000), ref: 00592978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00592988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00592991
DeleteDC.GDI32(00000000), ref: 0059299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00592A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00592A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00592A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00592A77
GetStockObject.GDI32(00000011), ref: 00592A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00592A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00592A97

Strings

AutoIt v3, xrefs: 005928F8
msctls_progress32, xrefs: 00592A13
DISPLAY, xrefs: 0059295A
static, xrefs: 0059294F, 00592A71

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 2bd84887d2d0ebc291479d75db7d456c73165498930e3a0e3cd3a44019db8e54
Instruction ID: ea1cfc400f18c441bae5644aa6780bcb876581a182681f117f3de12bcfcece12
Opcode Fuzzy Hash: 2bd84887d2d0ebc291479d75db7d456c73165498930e3a0e3cd3a44019db8e54
Instruction Fuzzy Hash: 30B14A71A00219BFEB14DFA8CC89EAE7BA9FB59710F008515F915EB290D770AD44CBA4

Function 00584ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00584AED
GetDriveTypeW.KERNEL32(?,005ACB68,?,\\.\,005ACC08), ref: 00584BCA
SetErrorMode.KERNEL32(00000000,005ACB68,?,\\.\,005ACC08), ref: 00584D36

Strings

Network, xrefs: 00584C02
Virtual, xrefs: 00584CE5
SAS, xrefs: 00584CC9
Fixed, xrefs: 00584C09
ATAPI, xrefs: 00584C91
FileBackedVirtual, xrefs: 00584CEC
SATA, xrefs: 00584CD0
Fibre, xrefs: 00584CAD
USB, xrefs: 00584CB4
SSA, xrefs: 00584CA6
SCSI, xrefs: 00584C8A
Unknown, xrefs: 00584BED, 00584C83
MMC, xrefs: 00584CDE
RAMDisk, xrefs: 00584BF4
\\.\, xrefs: 00584B3F
Removable, xrefs: 00584C10, 00584C15
PhysicalDrive, xrefs: 00584B76
1394, xrefs: 00584C9F
iSCSI, xrefs: 00584CC2
CDROM, xrefs: 00584BFB
RAID, xrefs: 00584CBB
ATA, xrefs: 00584C98
SSD, xrefs: 00584C4A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0f675184068f30a067ee6eb4d245cfc2c0f77a0779eb0a8264397a33c53efaf3
Instruction ID: a4fe4a10574a2f80bbe6cb3e0c7aae25122c1ee87098477094d33ddda477cca2
Opcode Fuzzy Hash: 0f675184068f30a067ee6eb4d245cfc2c0f77a0779eb0a8264397a33c53efaf3
Instruction Fuzzy Hash: 9F619F306052079BCB24FF28DA859A8BFB5BB44300B248817EC06BB391DB71ED42DF51

Function 005A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 005A7421
SetTextColor.GDI32(?,?), ref: 005A7425
GetSysColorBrush.USER32(0000000F), ref: 005A743B
GetSysColor.USER32(0000000F), ref: 005A7446
CreateSolidBrush.GDI32(?), ref: 005A744B
GetSysColor.USER32(00000011), ref: 005A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 005A7471
SelectObject.GDI32(?,00000000), ref: 005A7482
SetBkColor.GDI32(?,00000000), ref: 005A748B
SelectObject.GDI32(?,?), ref: 005A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 005A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 005A7572
DrawFocusRect.USER32(?,?), ref: 005A757D
GetSysColor.USER32(00000011), ref: 005A758E
SetTextColor.GDI32(?,00000000), ref: 005A7596
DrawTextW.USER32(?,005A70F5,000000FF,?,00000000), ref: 005A75A8
SelectObject.GDI32(?,?), ref: 005A75BF
DeleteObject.GDI32(?), ref: 005A75CA
SelectObject.GDI32(?,?), ref: 005A75D0
DeleteObject.GDI32(?), ref: 005A75D5
SetTextColor.GDI32(?,?), ref: 005A75DB
SetBkColor.GDI32(?,?), ref: 005A75E5

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 86f65d116e512241c141611f9c427f2bd52af713844a7c7dda0def17ccb5f4db
Instruction ID: fd6aa1b34001fde29dca1707c8de140ed363b044908c8989d770abc0267c3d0f
Opcode Fuzzy Hash: 86f65d116e512241c141611f9c427f2bd52af713844a7c7dda0def17ccb5f4db
Instruction Fuzzy Hash: 19614A72D04218AFDF019FA4DC49AAEBFB9FF0E320F114525F915AB2A1D7749940DB90

Function 005A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005A1128
GetDesktopWindow.USER32 ref: 005A113D
GetWindowRect.USER32(00000000), ref: 005A1144
GetWindowLongW.USER32(?,000000F0), ref: 005A1199
DestroyWindow.USER32(?), ref: 005A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 005A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 005A1245
IsWindowVisible.USER32(00000000), ref: 005A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005A12D0
GetWindowRect.USER32(00000000,?), ref: 005A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 005A130E
GetMonitorInfoW.USER32(00000000,?), ref: 005A1328
CopyRect.USER32(?,?), ref: 005A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005A13AA

Strings

0, xrefs: 005A10D3
tooltips_class32, xrefs: 005A11E6
(, xrefs: 005A131B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 47b56bf184305f637032142a3dcff30c7487bbed3e454ac0d3ea40623ecda33c
Instruction ID: 198b70755214fe71dde5ade3987a4bcd251b9b3215ad0fd46f9e56ff55373691
Opcode Fuzzy Hash: 47b56bf184305f637032142a3dcff30c7487bbed3e454ac0d3ea40623ecda33c
Instruction Fuzzy Hash: D9B18E71608741AFE704DF64C888BAEBFE5FF89350F008919F9999B261D731E844CB95

Function 00528891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00528968
GetSystemMetrics.USER32(00000007), ref: 00528970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0052899B
GetSystemMetrics.USER32(00000008), ref: 005289A3
GetSystemMetrics.USER32(00000004), ref: 005289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00528A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00528A3C
GetClientRect.USER32(00000000,000000FF), ref: 00528A5A
GetStockObject.GDI32(00000011), ref: 00528A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00528A81

Part of subcall function 0052912D: GetCursorPos.USER32(?), ref: 00529141
Part of subcall function 0052912D: ScreenToClient.USER32(00000000,?), ref: 0052915E
Part of subcall function 0052912D: GetAsyncKeyState.USER32(00000001), ref: 00529183
Part of subcall function 0052912D: GetAsyncKeyState.USER32(00000002), ref: 0052919D

SetTimer.USER32(00000000,00000000,00000028,005290FC), ref: 00528AA8

Strings

AutoIt v3 GUI, xrefs: 00528A20

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d5d970c422ca8c4c55f010799f74d9583bce0dcc5143c72287e03b715905b41b
Instruction ID: a49518bc8308b6110373f55120e4a08c53023691890e86ad0f41bf4d57921c7d
Opcode Fuzzy Hash: d5d970c422ca8c4c55f010799f74d9583bce0dcc5143c72287e03b715905b41b
Instruction Fuzzy Hash: AAB17971A0021A9FDB14DFA8DD89BAE7FB5FB49314F104229FA15EB2D0DB30A840DB55

Function 00570D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00571114
Part of subcall function 005710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571120
Part of subcall function 005710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 0057112F
Part of subcall function 005710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571136
Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0057114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00570DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00570E29
GetLengthSid.ADVAPI32(?), ref: 00570E40
GetAce.ADVAPI32(?,00000000,?), ref: 00570E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00570E96
GetLengthSid.ADVAPI32(?), ref: 00570EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00570EB5
HeapAlloc.KERNEL32(00000000), ref: 00570EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00570EDD
CopySid.ADVAPI32(00000000), ref: 00570EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00570F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00570F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00570F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570F6E
HeapFree.KERNEL32(00000000), ref: 00570F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570F7E
HeapFree.KERNEL32(00000000), ref: 00570F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570F8E
HeapFree.KERNEL32(00000000), ref: 00570F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00570FA1
HeapFree.KERNEL32(00000000), ref: 00570FA8

Part of subcall function 00571193: GetProcessHeap.KERNEL32(00000008,00570BB1,?,00000000,?,00570BB1,?), ref: 005711A1
Part of subcall function 00571193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00570BB1,?), ref: 005711A8
Part of subcall function 00571193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00570BB1,?), ref: 005711B7

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bea69d52af77047b49f5a6392c53582e99e784c421afece7c01ef645d96fe983
Instruction ID: 94147933d3616d56b47a737123f6dcf21e42dfbca505811c516e75b67ece4b5c
Opcode Fuzzy Hash: bea69d52af77047b49f5a6392c53582e99e784c421afece7c01ef645d96fe983
Instruction Fuzzy Hash: 20714B72A0020AEBDF20DFA5EC48BAEBFB8BF15310F148115F919A6191D7719A09DB60

Function 0059C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,005ACC08,00000000,?,00000000,?,?), ref: 0059C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0059C5A4
_wcslen.LIBCMT ref: 0059C5F4
_wcslen.LIBCMT ref: 0059C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0059C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0059C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0059C84D
RegCloseKey.ADVAPI32(?), ref: 0059C881
RegCloseKey.ADVAPI32(00000000), ref: 0059C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0059C960

Strings

REG_BINARY, xrefs: 0059C913
REG_QWORD, xrefs: 0059C8C3
REG_EXPAND_SZ, xrefs: 0059C5CD
REG_SZ, xrefs: 0059C644
REG_MULTI_SZ, xrefs: 0059C6F5
REG_DWORD, xrefs: 0059C804

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 6acd5b70e59bb7c068546cf1dc1efb49016b56b95f898f8e057102e442d035af
Instruction ID: 65d6091ea8e7ebefa0a227b30dc96ce80afb7bf4a83d511ccdbefd82c9d558a1
Opcode Fuzzy Hash: 6acd5b70e59bb7c068546cf1dc1efb49016b56b95f898f8e057102e442d035af
Instruction Fuzzy Hash: 891248356042029FDB14DF18C895A6ABFE5FF88714F05885DF85A9B3A2DB31ED81CB81

Function 005A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005A09C6
_wcslen.LIBCMT ref: 005A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005A0A54
_wcslen.LIBCMT ref: 005A0A8A
_wcslen.LIBCMT ref: 005A0B06
_wcslen.LIBCMT ref: 005A0B81

Part of subcall function 0052F9F2: _wcslen.LIBCMT ref: 0052F9FD

Part of subcall function 00572BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00572BFA

Strings

GETTOTALCOUNT, xrefs: 005A09F2, 005A0A17
UNCHECK, xrefs: 005A0D3E
EXPAND, xrefs: 005A0BF8
GETITEMCOUNT, xrefs: 005A0C1E
ISCHECKED, xrefs: 005A0CE1
GETTEXT, xrefs: 005A0C97
SELECT, xrefs: 005A0D11
CHECK, xrefs: 005A0A85, 005A0AA0
EXISTS, xrefs: 005A0B7C, 005A0B97
COLLAPSE, xrefs: 005A0B01, 005A0B1C
GETSELECTED, xrefs: 005A0C4E

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 183a11114ebdba956d1e227a35ebcf89a2938ea692ca679c3ecc26221646e1a4
Instruction ID: 0b84ee3c1e562423bf36c7d2a3e3ff1fe8f90e3f4bb890a435a2b89ac42ce134
Opcode Fuzzy Hash: 183a11114ebdba956d1e227a35ebcf89a2938ea692ca679c3ecc26221646e1a4
Instruction Fuzzy Hash: 0EE17A312183069FC714DF28C45096EBBE2BF9A314F14895DF8969B3A2D731ED85CB91

Function 0059C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
_wcslen.LIBCMT ref: 0059C9F1
_wcslen.LIBCMT ref: 0059CA68
_wcslen.LIBCMT ref: 0059CA9E
_wcslen.LIBCMT ref: 0059CAF9
_wcslen.LIBCMT ref: 0059CB2F
_wcslen.LIBCMT ref: 0059CB7F

Strings

HKEY_USERS, xrefs: 0059CBDF
HKCU, xrefs: 0059CBCE
HKEY_CURRENT_USER, xrefs: 0059CBBD
HKEY_LOCAL_MACHINE, xrefs: 0059CA62, 0059CA67
HKU, xrefs: 0059CBF0
HKEY_CURRENT_CONFIG, xrefs: 0059CB79, 0059CB7E
HKCR, xrefs: 0059CB29, 0059CB2E
HKCC, xrefs: 0059CBAC
HKEY_CLASSES_ROOT, xrefs: 0059CAF3, 0059CAF8
HKLM, xrefs: 0059CA98, 0059CA9D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 127438a9f410792700a45c4835133499e74ab092614900d6fa17821f88732fa9
Instruction ID: eaf357bb85fa78da58079f1accf41328e4737ca79a2a4b9a844b8bb73652b882
Opcode Fuzzy Hash: 127438a9f410792700a45c4835133499e74ab092614900d6fa17821f88732fa9
Instruction Fuzzy Hash: 5D71E23260016B8BCF20DE7CC9515BE3FA2BFA5764F650529F8669B284E635CD84C7A0

Function 005A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005A835A
_wcslen.LIBCMT ref: 005A836E
_wcslen.LIBCMT ref: 005A8391
_wcslen.LIBCMT ref: 005A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,005A361A,?), ref: 005A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005A8501
FreeLibrary.KERNEL32(?), ref: 005A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005A851D
DestroyIcon.USER32(?), ref: 005A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005A8555

Strings

.icl, xrefs: 005A8368
.dll, xrefs: 005A83AB
.exe, xrefs: 005A8388

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 8dcef1b7d0d98209c2095154804ca46b79036a4fbb0d84f637fee62daa3745be
Instruction ID: 4000e39377e1ed38495077e0679b0884a2ba5d4673d1438b79dc369000e5dc70
Opcode Fuzzy Hash: 8dcef1b7d0d98209c2095154804ca46b79036a4fbb0d84f637fee62daa3745be
Instruction Fuzzy Hash: 9F61E07190020ABFEB14DF64CC45BBE7FA8FB49721F10450AF815DA1D1EB74A980DBA0

Function 00517778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 005177FF
#ce, xrefs: 005178ED
#pragma compile, xrefs: 005177D3
#include, xrefs: 00517847
#OnAutoItStartRegister, xrefs: 00517817
#include-once, xrefs: 0051782F
#notrayicon, xrefs: 005177E7
Unterminated group of comments, xrefs: 0055528C
Bad directive syntax error, xrefs: 0055519A
#cs, xrefs: 00517873, 005178C5
", xrefs: 00555153
Cannot parse #include, xrefs: 00555279
#comments-start, xrefs: 0051785F, 005178B1
#comments-end, xrefs: 005178D9
', xrefs: 00555169

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 534a70174e4acf6e41b15179eb500969b49225a8069b7566fe058f3d59f62035
Instruction ID: 8b0ea2b4074395fc69489bc7cb3bfefd18196bf34bccab275f2d21d2cdcfb67c
Opcode Fuzzy Hash: 534a70174e4acf6e41b15179eb500969b49225a8069b7566fe058f3d59f62035
Instruction Fuzzy Hash: 5B81E67160460ABBEB20AF64DC56FEE3F78FF59300F044025F905AA192EB70D985D7A1

Function 00583E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00583EF8
_wcslen.LIBCMT ref: 00583F03
_wcslen.LIBCMT ref: 00583F5A
_wcslen.LIBCMT ref: 00583F98
GetDriveTypeW.KERNEL32(?), ref: 00583FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0058401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00584059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00584087

Strings

type cdaudio alias cd wait, xrefs: 00584001
close, xrefs: 00583EFE, 00583F18
close cd wait, xrefs: 00584072
open , xrefs: 00583FE5
open, xrefs: 00583F54, 00583F59
closed, xrefs: 00583F08, 00583F2D, 00583F46, 00583F7E, 00583F97
set cd door , xrefs: 00584028
wait, xrefs: 00584044

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: b85a5ea33abb4c7150b880d2cbb4294d5dc32ddfa338ffaf67ef83e1cd37357b
Instruction ID: 215ecb3d53d929f388a7880e06f5c80c20b296177a816379dafcab293c2bd361
Opcode Fuzzy Hash: b85a5ea33abb4c7150b880d2cbb4294d5dc32ddfa338ffaf67ef83e1cd37357b
Instruction Fuzzy Hash: A97190316042029FD310EF24C8859AABFE4FF94754F10492EF995A7261EB35ED46CB91

Function 00575A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00575A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00575A40
SetWindowTextW.USER32(?,?), ref: 00575A57
GetDlgItem.USER32(?,000003EA), ref: 00575A6C
SetWindowTextW.USER32(00000000,?), ref: 00575A72
GetDlgItem.USER32(?,000003E9), ref: 00575A82
SetWindowTextW.USER32(00000000,?), ref: 00575A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00575AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00575AC3
GetWindowRect.USER32(?,?), ref: 00575ACC
_wcslen.LIBCMT ref: 00575B33
SetWindowTextW.USER32(?,?), ref: 00575B6F
GetDesktopWindow.USER32 ref: 00575B75
GetWindowRect.USER32(00000000), ref: 00575B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00575BD3
GetClientRect.USER32(?,?), ref: 00575BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00575C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00575C2F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 30612cc84018b78f48cf7f01230e89490f7eba844d435360fa553fc67054d6f2
Instruction ID: f717d6a50677cd11ac83ddbc175e8d267dfc15700b27c56e0b97a4f71b2ac2ed
Opcode Fuzzy Hash: 30612cc84018b78f48cf7f01230e89490f7eba844d435360fa553fc67054d6f2
Instruction Fuzzy Hash: B0717F31900B059FDB20DFA8DE85A6EBFF5FF48705F104918E18AA35A0E7B4E944DB50

Function 0058FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0058FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0058FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0058FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0058FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0058FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0058FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0058FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0058FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0058FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0058FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0058FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0058FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0058FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0058FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0058FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0058FECC
GetCursorInfo.USER32(?), ref: 0058FEDC
GetLastError.KERNEL32 ref: 0058FF1E

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: bf5abb4dc0c1c5e019b0050a9ba05f14132099d8eb08f8e80cf2cdbd0d21cbc3
Instruction ID: d66161c3e5ed8d12d18b654362200d09650603ace43a04255dd92a3fcf9e320b
Opcode Fuzzy Hash: bf5abb4dc0c1c5e019b0050a9ba05f14132099d8eb08f8e80cf2cdbd0d21cbc3
Instruction Fuzzy Hash: 274151B0D443196ADB109FBA8C8985EBFE8FF08354B50452AE519E7281DB78A9018F91

Function 005730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0057318D
_wcslen.LIBCMT ref: 005731F8

Strings

TEXT, xrefs: 0057347C
CLASS, xrefs: 00573188, 005731A5
[], xrefs: 0057339A
CLASSNN, xrefs: 005731F3, 00573204
REGEXPCLASS, xrefs: 00573255, 00573266
NAME, xrefs: 00573335, 00573346
INSTANCE, xrefs: 00573453

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[]
API String ID: 176396367-4125391415
Opcode ID: c85ac22828e6aa4ecbafa830eb0d43ad4ccbc1c81dd54fbe0dc067889a816da8
Instruction ID: 4fce7546877220f89ca9fbb137fdb8872f5243ea5fc453e8c3f1c017bfd1431e
Opcode Fuzzy Hash: c85ac22828e6aa4ecbafa830eb0d43ad4ccbc1c81dd54fbe0dc067889a816da8
Instruction Fuzzy Hash: FCE1E732A00516ABCF28DF78D4556EDBFB1BF44720F54C52AE45AA7240EB30AE85F790

Function 005300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005300C6

Part of subcall function 005300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(005E070C,00000FA0,525824E4,?,?,?,?,005523B3,000000FF), ref: 0053011C
Part of subcall function 005300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005523B3,000000FF), ref: 00530127
Part of subcall function 005300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005523B3,000000FF), ref: 00530138
Part of subcall function 005300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0053014E
Part of subcall function 005300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0053015C
Part of subcall function 005300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0053016A
Part of subcall function 005300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00530195
Part of subcall function 005300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005301A0

___scrt_fastfail.LIBCMT ref: 005300E7

Part of subcall function 005300A3: __onexit.LIBCMT ref: 005300A9

Strings

kernel32.dll, xrefs: 00530133
InitializeConditionVariable, xrefs: 00530148
WakeAllConditionVariable, xrefs: 00530162
SleepConditionVariableCS, xrefs: 00530154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00530122

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 7b9d8a64aef4c36090ce989931249560b62d120c9820ec9e071151759eed3783
Instruction ID: 2b027beda6b6cd48bbc23366fbf28800fc68745221f96054de72aafd0fca023f
Opcode Fuzzy Hash: 7b9d8a64aef4c36090ce989931249560b62d120c9820ec9e071151759eed3783
Instruction Fuzzy Hash: 63212632A407116BE7256BA4BC59B2E7FE8FB56B61F00113AF801E72D1DBB09C04DB90

Function 005844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,005ACC08), ref: 00584527
_wcslen.LIBCMT ref: 0058453B
_wcslen.LIBCMT ref: 00584599
_wcslen.LIBCMT ref: 005845F4
_wcslen.LIBCMT ref: 0058463F
_wcslen.LIBCMT ref: 005846A7

Part of subcall function 0052F9F2: _wcslen.LIBCMT ref: 0052F9FD

GetDriveTypeW.KERNEL32(?,005D6BF0,00000061), ref: 00584743

Strings

unknown, xrefs: 00584708
all, xrefs: 00584531, 00584536
removable, xrefs: 005845EA, 005845EF
ramdisk, xrefs: 005846F1
cdrom, xrefs: 0058458F, 00584594
network, xrefs: 0058469D, 005846A2
fixed, xrefs: 00584635, 0058463A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 045060e17fed9ee865c530bf999c969e4fb017f404a13b153530e7888972d2fe
Instruction ID: 52e427e6f0860e730395d9f9e12390ecf223d89397b3e5b1e8fc89aba3b4b925
Opcode Fuzzy Hash: 045060e17fed9ee865c530bf999c969e4fb017f404a13b153530e7888972d2fe
Instruction Fuzzy Hash: F2B19D316083039BC710EF28C894A6EBBE5BFA5764F50491DF896E7291E730D985CB92

Function 005A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

DragQueryPoint.SHELL32(?,?), ref: 005A9147

Part of subcall function 005A7674: ClientToScreen.USER32(?,?), ref: 005A769A
Part of subcall function 005A7674: GetWindowRect.USER32(?,?), ref: 005A7710
Part of subcall function 005A7674: PtInRect.USER32(?,?,005A8B89), ref: 005A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 005A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 005A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 005A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 005A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 005A9277
DragFinish.SHELL32(?), ref: 005A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005A9371

Strings

@GUI_DRAGFILE, xrefs: 005A9320
p#^, xrefs: 005A92BB
@GUI_DRAGID, xrefs: 005A92E9
@GUI_DROPID, xrefs: 005A929E

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#^
API String ID: 221274066-4237971630
Opcode ID: 5f30679c007cdd16b1e8693ff721ccc44b44fe8e2f45fe8d13d713b40d4e05dc
Instruction ID: b3122728a10f91d5f26426d0b86c766d0ab4d7bea99136e93a8158366580abd7
Opcode Fuzzy Hash: 5f30679c007cdd16b1e8693ff721ccc44b44fe8e2f45fe8d13d713b40d4e05dc
Instruction Fuzzy Hash: 3F613771108302AFD701DF54D889DAFBFE8FFD9750F00091AB595962A1DB309A49CB92

Function 0051326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(005E1990), ref: 00552F8D
GetMenuItemCount.USER32(005E1990), ref: 0055303D
GetCursorPos.USER32(?), ref: 00553081
SetForegroundWindow.USER32(00000000), ref: 0055308A
TrackPopupMenuEx.USER32(005E1990,00000000,?,00000000,00000000,00000000), ref: 0055309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005530A9

Strings

0, xrefs: 0051327D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 0bf0b179e99ad1848a27375bce4e52cc18e0209f0940dc1bb431f9664887faae
Instruction ID: af02a0ea856ff7407d1511b743f0a84c1853f589062e0e377b662b911064c1d2
Opcode Fuzzy Hash: 0bf0b179e99ad1848a27375bce4e52cc18e0209f0940dc1bb431f9664887faae
Instruction Fuzzy Hash: 59710C30640206BEFB259F64DC99FAABF68FF06364F204216F9256A1E0C7B1AD54D750

Function 005A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 005A6DEB

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A6E94
DestroyWindow.USER32(?), ref: 005A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00510000,00000000), ref: 005A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A6EFD
GetDesktopWindow.USER32 ref: 005A6F16
GetWindowRect.USER32(00000000), ref: 005A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005A6F4D

Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952

Strings

tooltips_class32, xrefs: 005A6E58, 005A6EDD
0, xrefs: 005A6D98

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 506a175e713a4fc56172da299d6a9a383f13efea5092c41f58e99756c52f6758
Instruction ID: 3203997087ab0fa708173287b07fd1d54867da02243f37f160fb88a70989983f
Opcode Fuzzy Hash: 506a175e713a4fc56172da299d6a9a383f13efea5092c41f58e99756c52f6758
Instruction Fuzzy Hash: 92715B74144245AFDB25CF18DC84FABBFE9FB9A304F08041DF9998B2A1C770A949DB15

Function 0058C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0058C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0058C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0058C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0058C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0058C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0058C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0058C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0058C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0058C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0058C5F0
InternetCloseHandle.WININET(00000000), ref: 0058C5FB

Strings

, xrefs: 0058C575

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0de946ff81234d531bb964b90ed3ced2c8a42ee93e6055016db4283a3cf7c6ac
Instruction ID: 2b1830867d0f22beec1514f2e3adb9b94de766b10f3f2ae826bf00e9bb3cd1cd
Opcode Fuzzy Hash: 0de946ff81234d531bb964b90ed3ced2c8a42ee93e6055016db4283a3cf7c6ac
Instruction Fuzzy Hash: 4F515DB1500205BFEB21AF64C948ABB7FFCFF19754F00441AF945A6210DB34E948AB70

Function 005A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 005A8592
GetFileSize.KERNEL32(00000000,00000000), ref: 005A85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 005A85AD
CloseHandle.KERNEL32(00000000), ref: 005A85BA
GlobalLock.KERNEL32(00000000), ref: 005A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005A85D7
GlobalUnlock.KERNEL32(00000000), ref: 005A85E0
CloseHandle.KERNEL32(00000000), ref: 005A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 005A85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,005AFC38,?), ref: 005A8611
GlobalFree.KERNEL32(00000000), ref: 005A8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 005A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 005A8671
DeleteObject.GDI32(00000000), ref: 005A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005A86AF

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c142638163b670bec78de0c767baafebf5741859c793f1e3d40871ee5266ff19
Instruction ID: 5f37d3b040e4651022a9867580da52e8007f0476a1de009eac8babf7375f861b
Opcode Fuzzy Hash: c142638163b670bec78de0c767baafebf5741859c793f1e3d40871ee5266ff19
Instruction Fuzzy Hash: 9E41E675600208BFDB119FA5DC48EAE7FB8FF9AB11F144059F905EB260DB309905DB60

Function 005814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00581502
VariantCopy.OLEAUT32(?,?), ref: 0058150B
VariantClear.OLEAUT32(?), ref: 00581517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00581657
VariantInit.OLEAUT32(?), ref: 00581708
SysFreeString.OLEAUT32(?), ref: 0058178C
VariantClear.OLEAUT32(?), ref: 005817D8
VariantClear.OLEAUT32(?), ref: 005817E7
VariantInit.OLEAUT32(00000000), ref: 00581823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00581625
Default, xrefs: 005816AF

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 9a3d38d32e5b81ba8e8486362f8bbeb01862d5c81780f4cca55b6c5f0e73332a
Instruction ID: 980ad9e6b04b45b22e0d3514e6d0f2b74c22002dd6da3711dbea11301e905e12
Opcode Fuzzy Hash: 9a3d38d32e5b81ba8e8486362f8bbeb01862d5c81780f4cca55b6c5f0e73332a
Instruction Fuzzy Hash: 4BD1E271A00916DBDB10AF65E889B7DBFB9BF86700F10846AE846BB180DB30DC46DF55

Function 0059B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0059B80A
RegCloseKey.ADVAPI32(?), ref: 0059B87E
RegCloseKey.ADVAPI32(?), ref: 0059B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0059B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0059B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0059B922
FreeLibrary.KERNEL32(00000000), ref: 0059B983
RegCloseKey.ADVAPI32(00000000), ref: 0059B994

Strings

advapi32.dll, xrefs: 0059B8ED
RegDeleteKeyExW, xrefs: 0059B8FE

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 6a1a88d45215d4979a5948132567b1484d54f2d3b5c5c73003281dc6ee59eb80
Instruction ID: 4ec804f3d070aa3baf3fd6b8bd418a48a303274b3022ac858df8b860c9b2d091
Opcode Fuzzy Hash: 6a1a88d45215d4979a5948132567b1484d54f2d3b5c5c73003281dc6ee59eb80
Instruction Fuzzy Hash: B9C17D30204202AFEB10DF14D599F6ABFE5FF84308F14855CE59A4B2A2CB75ED86CB91

Function 0059255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005925E8
CreateCompatibleDC.GDI32(?), ref: 005925F4
SelectObject.GDI32(00000000,?), ref: 00592601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0059266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005926D0
SelectObject.GDI32(?,?), ref: 005926D8
DeleteObject.GDI32(?), ref: 005926E1
DeleteDC.GDI32(?), ref: 005926E8
ReleaseDC.USER32(00000000,?), ref: 005926F3

Strings

(, xrefs: 0059268D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 3771a5d100dbf3c6ed9c1b56c2a6246e6ad4e43d3aa2691de95fad4d6a925eb2
Instruction ID: 3c1a2fd0e8e0f01e1f23edcf63cf8a97ac779e41231635b2ac480e4f37ea9cc5
Opcode Fuzzy Hash: 3771a5d100dbf3c6ed9c1b56c2a6246e6ad4e43d3aa2691de95fad4d6a925eb2
Instruction Fuzzy Hash: A061D275E00219EFCF05CFA8D988AAEBBF5FF58310F208529E956A7250D770A941DF90

Function 0054DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0054DAA1

Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D659
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D66B
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D67D
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D68F
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6A1
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6B3
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6C5
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6D7
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6E9
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6FB
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D70D
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D71F
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D731

_free.LIBCMT ref: 0054DA96

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 0054DAB8
_free.LIBCMT ref: 0054DACD
_free.LIBCMT ref: 0054DAD8
_free.LIBCMT ref: 0054DAFA
_free.LIBCMT ref: 0054DB0D
_free.LIBCMT ref: 0054DB1B
_free.LIBCMT ref: 0054DB26
_free.LIBCMT ref: 0054DB5E
_free.LIBCMT ref: 0054DB65
_free.LIBCMT ref: 0054DB82
_free.LIBCMT ref: 0054DB9A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b3ae0baad26f4e2af38f5549d0badfd1301e6b9d7241c27b315384a19c02709b
Instruction ID: 2d6e3b6f5a3c5c42a1fc12d99973f5fba1c2b25e96e381818fc4bf4e6d23e272
Opcode Fuzzy Hash: b3ae0baad26f4e2af38f5549d0badfd1301e6b9d7241c27b315384a19c02709b
Instruction Fuzzy Hash: 28312A316046069FEB22AA3AE849BDA7FF9FF40318F55441AF449D7291DA35AC80CB30

Function 0057365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0057369C
_wcslen.LIBCMT ref: 005736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00573797
GetClassNameW.USER32(?,?,00000400), ref: 0057380C
GetDlgCtrlID.USER32(?), ref: 0057385D
GetWindowRect.USER32(?,?), ref: 00573882
GetParent.USER32(?), ref: 005738A0
ScreenToClient.USER32(00000000), ref: 005738A7
GetClassNameW.USER32(?,?,00000100), ref: 00573921
GetWindowTextW.USER32(?,?,00000400), ref: 0057395D

Strings

%s%u, xrefs: 00573734

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b091d4a713847a398f5cf6878d371f3e932a002880d4072c36217f3b55f70b25
Instruction ID: 317b7c397bd0880e0e8153a9bc3f02a8e07af5eaf326be7df6a93a3a6328cd43
Opcode Fuzzy Hash: b091d4a713847a398f5cf6878d371f3e932a002880d4072c36217f3b55f70b25
Instruction Fuzzy Hash: D991B371204617AFD718DF24D885BAABFA8FF44360F008529FA9DD2190DB30EA45EB91

Function 00574954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00574994
GetWindowTextW.USER32(?,?,00000400), ref: 005749DA
_wcslen.LIBCMT ref: 005749EB
CharUpperBuffW.USER32(?,00000000), ref: 005749F7
_wcsstr.LIBVCRUNTIME ref: 00574A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00574A64
GetWindowTextW.USER32(?,?,00000400), ref: 00574A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00574AE6
GetClassNameW.USER32(?,?,00000400), ref: 00574B20
GetWindowRect.USER32(?,?), ref: 00574B8B

Strings

ThumbnailClass, xrefs: 00574A6F, 00574AF1

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 42d577b76fd0bda4483f780d65c0f34e8e3a9897fe1e0805741d6af090705f48
Instruction ID: 6862e355f64ae1b0f7a1f9936421b4d5cbe64e2ad6600e7fc6a1b810eebfb31d
Opcode Fuzzy Hash: 42d577b76fd0bda4483f780d65c0f34e8e3a9897fe1e0805741d6af090705f48
Instruction Fuzzy Hash: D891AA310042069FDB05DF14E985BAABFE9FF84314F04846AFD899A096EB30ED45DFA1

Function 0057BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(005E1990,000000FF,00000000,00000030), ref: 0057BFAC
SetMenuItemInfoW.USER32(005E1990,00000004,00000000,00000030), ref: 0057BFE1
Sleep.KERNEL32(000001F4), ref: 0057BFF3
GetMenuItemCount.USER32(?), ref: 0057C039
GetMenuItemID.USER32(?,00000000), ref: 0057C056
GetMenuItemID.USER32(?,-00000001), ref: 0057C082
GetMenuItemID.USER32(?,?), ref: 0057C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0057C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0057C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0057C145

Strings

0, xrefs: 0057BF3D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 0f888608f2cd3f5792d72826a288ff7e39414a32446815aa229eaa86066f0a82
Instruction ID: 0d42eaf77828a8b02cc286e80f402a9392508cd0b112288fca6330b16e803765
Opcode Fuzzy Hash: 0f888608f2cd3f5792d72826a288ff7e39414a32446815aa229eaa86066f0a82
Instruction Fuzzy Hash: 8E6180B0900246AFDF15CF64EC8CAEE7FA8FB45344F408469F859A7291D735AD05EBA0

Function 0059CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0059CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0059CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0059CD48

Part of subcall function 0059CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0059CCAA
Part of subcall function 0059CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0059CCBD
Part of subcall function 0059CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0059CCCF
Part of subcall function 0059CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0059CD05
Part of subcall function 0059CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0059CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0059CCF3

Strings

advapi32.dll, xrefs: 0059CCB8
RegDeleteKeyExW, xrefs: 0059CCC9

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: a64dd6b452da4cc87a53810dfd57076986f40d08d64c7ba6537ffcaba2ffda7f
Instruction ID: 76449b2b1065bb2c4135b0473957e9dec6189acc7770e4949f094441577c5f4f
Opcode Fuzzy Hash: a64dd6b452da4cc87a53810dfd57076986f40d08d64c7ba6537ffcaba2ffda7f
Instruction Fuzzy Hash: 94316E71A41229BBDB208B54DC88EFFBFBCFF56750F000165E905E6240DB349E49EAA0

Function 00583D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00583D40
_wcslen.LIBCMT ref: 00583D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00583D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00583DBE
RemoveDirectoryW.KERNEL32(?), ref: 00583DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00583E55
CloseHandle.KERNEL32(00000000), ref: 00583E60
CloseHandle.KERNEL32(00000000), ref: 00583E6B

Strings

\, xrefs: 00583D77
\??\%s, xrefs: 00583D5B
:, xrefs: 00583D82

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: c9c863edca603b7c2968325ee53bb6d66d8035e646f3831242a5d39890c550c9
Instruction ID: 9c2d64e5f8216587f0489e833cde29f80c4912b085c2dabc9663322792831530
Opcode Fuzzy Hash: c9c863edca603b7c2968325ee53bb6d66d8035e646f3831242a5d39890c550c9
Instruction Fuzzy Hash: 7D31967550011A6BDB21ABA0DC49FEF3BBCFF89B40F1041B6F905E6150EB7497458B24

Function 0057E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0057E6B4

Part of subcall function 0052E551: timeGetTime.WINMM(?,?,0057E6D4), ref: 0052E555

Sleep.KERNEL32(0000000A), ref: 0057E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0057E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0057E727
SetActiveWindow.USER32 ref: 0057E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0057E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0057E773
Sleep.KERNEL32(000000FA), ref: 0057E77E
IsWindow.USER32 ref: 0057E78A
EndDialog.USER32(00000000), ref: 0057E79B

Strings

BUTTON, xrefs: 0057E719

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a494808b6dc206de66f1f48140752f687c2c423c56e22be94da2a861d6eeeb14
Instruction ID: f073b9751afbd4aa994e19799cc77203efcd0e95fc8a64b490d8719a6423eb07
Opcode Fuzzy Hash: a494808b6dc206de66f1f48140752f687c2c423c56e22be94da2a861d6eeeb14
Instruction Fuzzy Hash: 4B2162B0200385AFEF045F25FCCAA253F6DF77A349F108465F549861A5DFB1AC08BA24

Function 0057E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0057EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0057EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0057EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0057EAA7

Strings

play PlayMe wait, xrefs: 0057EA91
status PlayMe mode, xrefs: 0057EA58
play PlayMe, xrefs: 0057EAA2
open , xrefs: 0057EA0C
alias PlayMe, xrefs: 0057EA36
close PlayMe, xrefs: 0057EA6E, 0057EA9B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 61a8cefd10ec93d11d4f7b626158cb2532e02c0f54a0e6227855c869ed93631e
Instruction ID: b23c9614e526a7b91241434ed60e74c863b90059a5dfcc7ebf550558c172c401
Opcode Fuzzy Hash: 61a8cefd10ec93d11d4f7b626158cb2532e02c0f54a0e6227855c869ed93631e
Instruction Fuzzy Hash: C2115131A5021A79E720A7A5DC5FDFF6F7CFBD5B40F00082BB811A21D1EA701946D9B1

Function 00575CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00575CE2
GetWindowRect.USER32(00000000,?), ref: 00575CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00575D59
GetDlgItem.USER32(?,00000002), ref: 00575D69
GetWindowRect.USER32(00000000,?), ref: 00575D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00575DCF
GetDlgItem.USER32(?,000003E9), ref: 00575DDD
GetWindowRect.USER32(00000000,?), ref: 00575DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00575E31
GetDlgItem.USER32(?,000003EA), ref: 00575E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00575E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00575E67

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: df01c4290a76ff926ad615a713a8996397b6e8ad68142963d5adad664806d083
Instruction ID: 107baca27bcc17ec47cf771bdebb0b3bdca4a7a8fb2cf8d1ceb04834e20c185c
Opcode Fuzzy Hash: df01c4290a76ff926ad615a713a8996397b6e8ad68142963d5adad664806d083
Instruction Fuzzy Hash: 7F51FF71A00615AFDB18CF68DD89AAE7FB9FB58300F548129F91AE7290E7709E04DB50

Function 00528BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00528F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00528BE8,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 00528FC5

DestroyWindow.USER32(?), ref: 00528C81
KillTimer.USER32(00000000,?,?,?,?,00528BBA,00000000,?), ref: 00528D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00566973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 005669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 005669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00528BBA,00000000), ref: 005669D4
DeleteObject.GDI32(00000000), ref: 005669E6

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f24463815d56d80adb4a558604b0bac160634a9bf37ff793da9c8934840065d8
Instruction ID: 30d0a4b81ba2f000b36e6c4fb785cd3ddd457784389474be67a17238baca1d2b
Opcode Fuzzy Hash: f24463815d56d80adb4a558604b0bac160634a9bf37ff793da9c8934840065d8
Instruction Fuzzy Hash: 45618031502B61DFDB259F54EA487397FF1FF62312F144918E082AB5A0CB35AC98EB54

Function 00529838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952

GetSysColor.USER32(0000000F), ref: 00529862

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d9ff70b674d20776c70e0103e6a8df3a9f10bd990e5cc0271dfdb4b142fa2434
Instruction ID: 4cb9e7f3d078a931fe476a7b2be02545f5e048aca7da1330e3f638e743243659
Opcode Fuzzy Hash: d9ff70b674d20776c70e0103e6a8df3a9f10bd990e5cc0271dfdb4b142fa2434
Instruction Fuzzy Hash: DD41AF31504654AFDB245F38AC88BB93FA5BF27330F184655F9A28B2E2D7319846EB10

Function 00548D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.S, xrefs: 0054903A, 00548FD0, 00548FF2

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: .S
API String ID: 0-1539595904
Opcode ID: f4084f31dbfe58e50bcc5b216dca1cda73154b838ff3e5d66c7742d360502bd2
Instruction ID: 4df9f2ad0d55cb23b9e7b728096982678500be7613d02536fa81326fd622d9b8
Opcode Fuzzy Hash: f4084f31dbfe58e50bcc5b216dca1cda73154b838ff3e5d66c7742d360502bd2
Instruction Fuzzy Hash: ABC1E174D04249AFDB15DFA8D84ABEEBFB0BF59318F044099F418AB392C7709941CB61

Function 005796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0055F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00579717
LoadStringW.USER32(00000000,?,0055F7F8,00000001), ref: 00579720

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0055F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00579742
LoadStringW.USER32(00000000,?,0055F7F8,00000001), ref: 00579745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00579866

Strings

Line %d:, xrefs: 005797A0
%s (%d) : ==> %s: %s %s, xrefs: 0057984A
^ ERROR, xrefs: 005797FB
Line %d (File "%s"):, xrefs: 0057978F
Error: , xrefs: 0057981D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: af6b7b827216762ec88a924427d34ffe46f42bc3cdc9ffdd9ec789559f132d71
Instruction ID: 80cc43e4dae3be0c9425749b8b5899d28683a7dc2cdb02409d0af7afc2769872
Opcode Fuzzy Hash: af6b7b827216762ec88a924427d34ffe46f42bc3cdc9ffdd9ec789559f132d71
Instruction Fuzzy Hash: 7541207280021AAADF14EBE0DD9ADEE7B78BF95340F104425F60572092EB356F89DB71

Function 005706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00570804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0057082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00570837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0057083C

Strings

SOFTWARE\Classes\, xrefs: 0057070E
\CLSID, xrefs: 00570724
\IPC$, xrefs: 00570784

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: c301f0c6cb9751d543b5ef0558e464e761b8ca576a4731dfaf54e9aebf7531cc
Instruction ID: 24b33ed58f2f657a203f1727a9fedcb3e013658d3200f73d438afd1070e70d02
Opcode Fuzzy Hash: c301f0c6cb9751d543b5ef0558e464e761b8ca576a4731dfaf54e9aebf7531cc
Instruction Fuzzy Hash: F9411A71C10229EBDF15EFA4DC998EDBBB8FF54350F144526E905A31A1EB30AE44DB90

Function 00593C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00593C5C
CoInitialize.OLE32(00000000), ref: 00593C8A
CoUninitialize.OLE32 ref: 00593C94
_wcslen.LIBCMT ref: 00593D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00593DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00593ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00593F0E
CoGetObject.OLE32(?,00000000,005AFB98,?), ref: 00593F2D
SetErrorMode.KERNEL32(00000000), ref: 00593F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00593FC4
VariantClear.OLEAUT32(?), ref: 00593FD8

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: cf7ae2bac5c9028cb49224f752ac1cdec4d35337ed0afd721d9f73fa068da959
Instruction ID: 2ab23bee25734d39621ab944db3876b769ad1d3830e7beafb1ce5e955c1a112f
Opcode Fuzzy Hash: cf7ae2bac5c9028cb49224f752ac1cdec4d35337ed0afd721d9f73fa068da959
Instruction Fuzzy Hash: E3C10171608305EFDB00DF68C88492ABBE9FF89744F14491DF98A9B250DB31EE45CB52

Function 00587A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00587AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00587B8F
SHGetDesktopFolder.SHELL32(?), ref: 00587BA3
CoCreateInstance.OLE32(005AFD08,00000000,00000001,005D6E6C,?), ref: 00587BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00587C74
CoTaskMemFree.OLE32(?,?), ref: 00587CCC
SHBrowseForFolderW.SHELL32(?), ref: 00587D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00587D7A
CoTaskMemFree.OLE32(00000000), ref: 00587D81
CoTaskMemFree.OLE32(00000000), ref: 00587DD6
CoUninitialize.OLE32 ref: 00587DDC

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: e45ef0b7c5dd411f83bba81f8acaa719ae31d89cd8e3f126ffc69ec6d968d194
Instruction ID: e0eb0b44b998ba408dac48f68a003ae90e1cc16954d485a252e6de2c1b545eeb
Opcode Fuzzy Hash: e45ef0b7c5dd411f83bba81f8acaa719ae31d89cd8e3f126ffc69ec6d968d194
Instruction Fuzzy Hash: 1DC10B75A04109AFDB14DFA4C888DAEBFF9FF48304B148499E819AB361D731EE45CB90

Function 005A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A5515
CharNextW.USER32(00000158), ref: 005A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A55AC

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: d5886003ec15155a33efa9b38eafa08cfe157a35db590d3bee6c0fb55c518d32
Instruction ID: ea8e2b4be976ada3c33e14a844faf45e9a5f019e2946aaab4e145fcb64cc028e
Opcode Fuzzy Hash: d5886003ec15155a33efa9b38eafa08cfe157a35db590d3bee6c0fb55c518d32
Instruction Fuzzy Hash: D7615931904609EFDF119F64CC84EBE7FB9FB1A720F104545FA25AB290E7748A84DB60

Function 0056FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0056FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0056FB08
VariantInit.OLEAUT32(?), ref: 0056FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0056FB3A
VariantCopy.OLEAUT32(?,?), ref: 0056FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0056FBA1
VariantClear.OLEAUT32(?), ref: 0056FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0056FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0056FBCC
VariantClear.OLEAUT32(?), ref: 0056FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0056FBE9

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9356f6dfa460259c161621eaeb9fb15b02d14413d0e097da0380477a65ed9a83
Instruction ID: 052c8d2941b85b41d45c82aff44a66275088f8fcaffea0f8c130a4442233d49e
Opcode Fuzzy Hash: 9356f6dfa460259c161621eaeb9fb15b02d14413d0e097da0380477a65ed9a83
Instruction Fuzzy Hash: B4415F35E002199FCF00DFA4D8589AEBFB9FF59345F008069E906A7261DB70A945DBA0

Function 00579C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00579CA1
GetAsyncKeyState.USER32(000000A0), ref: 00579D22
GetKeyState.USER32(000000A0), ref: 00579D3D
GetAsyncKeyState.USER32(000000A1), ref: 00579D57
GetKeyState.USER32(000000A1), ref: 00579D6C
GetAsyncKeyState.USER32(00000011), ref: 00579D84
GetKeyState.USER32(00000011), ref: 00579D96
GetAsyncKeyState.USER32(00000012), ref: 00579DAE
GetKeyState.USER32(00000012), ref: 00579DC0
GetAsyncKeyState.USER32(0000005B), ref: 00579DD8
GetKeyState.USER32(0000005B), ref: 00579DEA

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8f6b53878ed8cd5fe1f2804be95c920d8f962817de2d43954889e4c7bc82ad7e
Instruction ID: 685d34758f6ca7475cc448b13190a1fd413ce8ef14e5e60e09656be6af4b914b
Opcode Fuzzy Hash: 8f6b53878ed8cd5fe1f2804be95c920d8f962817de2d43954889e4c7bc82ad7e
Instruction Fuzzy Hash: 1941EB345047C96DFF318764A4043B5BEA47F22344F08C05ADACA575C2EBA49DC8E7B2

Function 0059055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005905BC
inet_addr.WSOCK32(?), ref: 0059061C
gethostbyname.WSOCK32(?), ref: 00590628
IcmpCreateFile.IPHLPAPI ref: 00590636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005907B9
WSACleanup.WSOCK32 ref: 005907BF

Strings

Ping, xrefs: 00590676

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 3c550eb622e610f3e54d186f478d3057c34925964454a903109b43cfc1d3b368
Instruction ID: 9f814ae3ae2f078b379af0feebdecb90875333d50973ea182e424a9ce42a4572
Opcode Fuzzy Hash: 3c550eb622e610f3e54d186f478d3057c34925964454a903109b43cfc1d3b368
Instruction Fuzzy Hash: F5916C356042019FDB20DF15D488B1ABFE4FF85328F1599A9E4698B6A2C730FD85CF91

Function 00598CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00598CF3

Part of subcall function 00578E54: _wcslen.LIBCMT ref: 00578E77

_wcslen.LIBCMT ref: 00598D4E
_wcslen.LIBCMT ref: 00598D9C
_wcslen.LIBCMT ref: 00598DDC
_wcslen.LIBCMT ref: 00598E6E

Strings

cdecl, xrefs: 00598D48, 00598D4D
none, xrefs: 00598E65, 00598E6A
winapi, xrefs: 00598D96, 00598D9B
stdcall, xrefs: 00598DD6, 00598DDB

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 9bf8d05e32af8baac46059f62ffa2f4972ba75bb22e3154c9535cd29a3a4b901
Instruction ID: a53a5601b67f748e7e8b52716f4967f956f04f3a7f262ffda55c86cccd0f5692
Opcode Fuzzy Hash: 9bf8d05e32af8baac46059f62ffa2f4972ba75bb22e3154c9535cd29a3a4b901
Instruction Fuzzy Hash: AC519431A001179BCF24DF6CC9509BEBBA5BF66720B244629E426E73C4DB35DD40C790

Function 0059372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00593774
CoUninitialize.OLE32 ref: 0059377F
CoCreateInstance.OLE32(?,00000000,00000017,005AFB78,?), ref: 005937D9
IIDFromString.OLE32(?,?), ref: 0059384C
VariantInit.OLEAUT32(?), ref: 005938E4
VariantClear.OLEAUT32(?), ref: 00593936

Strings

Failed to create object, xrefs: 005937E4, 0059389A
Invalid parameter, xrefs: 00593865
NULL Pointer assignment, xrefs: 0059381E

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: c55db850f75ac87a2f66fc61aae2700cba9ce81ecf80317b74ef240c099ae4d2
Instruction ID: 21e47184bd8155c0ce31768e3ffbbb48a829bf99ac12fd1f2fd0b081e013da92
Opcode Fuzzy Hash: c55db850f75ac87a2f66fc61aae2700cba9ce81ecf80317b74ef240c099ae4d2
Instruction Fuzzy Hash: EB617971608202EFDB10DF54D889B6ABFE8FF89710F004819F9859B291D770EE49CB92

Function 00583388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005833CF

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005833F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00583522
^ ERROR , xrefs: 0058349E
Incorrect parameters to object property !, xrefs: 005834AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00583504
Line %d (File "%s"):, xrefs: 00583443, 0058345C
Error: , xrefs: 005834D1

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 2c5b753b663f0a139c51f28c0c28e159c0975d32c3bfecdbbcecb43d0f98862c
Instruction ID: b97928cbf6668750fe2cbab7faf2d9bd8b255a27dcb82d62a7769dcb87649bd9
Opcode Fuzzy Hash: 2c5b753b663f0a139c51f28c0c28e159c0975d32c3bfecdbbcecb43d0f98862c
Instruction Fuzzy Hash: EE51B37180020ABAEF15EBA0DD5AEEEBF78BF54740F104466F50572161EB312F98DB60

Function 0057B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0057B5FC
_wcslen.LIBCMT ref: 0057B608
_wcslen.LIBCMT ref: 0057B64D
_wcslen.LIBCMT ref: 0057B68C
_wcslen.LIBCMT ref: 0057B6C7

Strings

REMOVE, xrefs: 0057B602, 0057B607
KEYS, xrefs: 0057B647, 0057B64C
APPEND, xrefs: 0057B6C1, 0057B6C6
EXISTS, xrefs: 0057B686, 0057B68B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 6c34b784d65c3a51936ad62e978f5782042e8d66e6090e8b84198591dbbcaad6
Instruction ID: 9d3d8b958fce7c9f6bb1e33cf411d7d3e757fb5e8f625136b9ba80c7532fa462
Opcode Fuzzy Hash: 6c34b784d65c3a51936ad62e978f5782042e8d66e6090e8b84198591dbbcaad6
Instruction Fuzzy Hash: 2C41FD72A000279BDB205F7DD8906BE7FB5FFA0754B24812AE629D7284E735CD81D790

Function 00585393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00585416
GetLastError.KERNEL32 ref: 00585420
SetErrorMode.KERNEL32(00000000,READY), ref: 005854A7

Strings

READY, xrefs: 00585460, 00585468
READONLY, xrefs: 00585452
INVALID, xrefs: 00585459
UNKNOWN, xrefs: 00585444
NOTREADY, xrefs: 0058544B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4ac313710d03adff532ea9e41e96507077347536d5ad7b03e5072371345dc921
Instruction ID: bbbc0acc88e2e69d1789eae54116aef7bc10f5fac25d6c84168142adee5899ab
Opcode Fuzzy Hash: 4ac313710d03adff532ea9e41e96507077347536d5ad7b03e5072371345dc921
Instruction Fuzzy Hash: B4318F35A006059FDB10EF68C488AAA7FF4FF45305F548066E805EB3A2EB71DD86CB90

Function 005A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 005A3C79
SetMenu.USER32(?,00000000), ref: 005A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005A3D10
IsMenu.USER32(?), ref: 005A3D24
CreatePopupMenu.USER32 ref: 005A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005A3D5B
DrawMenuBar.USER32 ref: 005A3D63

Strings

0, xrefs: 005A3C54
F, xrefs: 005A3D4E

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 0d2f37f1e57237b641743da74e3f7dc7c0f261496fcb4c8271f0836d73c1a862
Instruction ID: 27a32d64678b2d3c73eb1829b21462897e1da032068909cd2280e2de5c407997
Opcode Fuzzy Hash: 0d2f37f1e57237b641743da74e3f7dc7c0f261496fcb4c8271f0836d73c1a862
Instruction Fuzzy Hash: 18416879A01209EFDB14CF64D884AAE7FB5FF5A354F140029F946A7360D730AA14DB94

Function 00571EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00571F64
GetDlgCtrlID.USER32 ref: 00571F6F
GetParent.USER32 ref: 00571F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00571F8E
GetDlgCtrlID.USER32(?), ref: 00571F97
GetParent.USER32(?), ref: 00571FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00571FAE

Strings

ComboBox, xrefs: 00571EEC
ListBox, xrefs: 00571F21

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 6988849035dfbdd36d139ad445dcf7a536a518007fcf593bf0dced547869c3c8
Instruction ID: a48eb5abc76949db3d1615c25b98a0889183bc080912d25388fa365ffbb7892b
Opcode Fuzzy Hash: 6988849035dfbdd36d139ad445dcf7a536a518007fcf593bf0dced547869c3c8
Instruction Fuzzy Hash: 0421D070900214BBDF11EFA8DC89DEEBFB8BF56350F004116F9656B291DB344908EB60

Function 00571FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00572043
GetDlgCtrlID.USER32 ref: 0057204E
GetParent.USER32 ref: 0057206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0057206D
GetDlgCtrlID.USER32(?), ref: 00572076
GetParent.USER32(?), ref: 0057208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0057208D

Strings

ComboBox, xrefs: 00571FCD
ListBox, xrefs: 00572002

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: a6c9aca4f10ac45b3761e12970c75b2eb348c03fa41b191422d441615f6e1d70
Instruction ID: 86fe38d3784bab02a1d1d80e9a7d5d2409d65192834e0970f793663afd086e34
Opcode Fuzzy Hash: a6c9aca4f10ac45b3761e12970c75b2eb348c03fa41b191422d441615f6e1d70
Instruction Fuzzy Hash: 7621CF71900214BBDF10EFA4DC89EEEBFB8BF15340F004416B996AB2A1DA754958EB60

Function 005A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 005A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 005A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 005A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 005A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 005A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005A3C13

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 6a121adec603426d56cb2149658e46ed74cc961d9af572a72530947eae12d603
Instruction ID: 54982ee2cc5b44355717b08d8d85a7a00505cbc00a454a5e6c79052ab5caf453
Opcode Fuzzy Hash: 6a121adec603426d56cb2149658e46ed74cc961d9af572a72530947eae12d603
Instruction Fuzzy Hash: D5615975900248AFDB10DFA8CC81EEE7BF8BF4A714F100099FA15AB291C770AE45DB60

Function 0057B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0057B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B165
GetWindowThreadProcessId.USER32(00000000), ref: 0057B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0057B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B21D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 15b1861ebdf8dcdd26e909d5e305a6190dc6f59cde9608180d4cd08a9552c0f0
Instruction ID: a050517342d5caed08633f028526d7c7b1b44c480fee28fff55d126ac75abfec
Opcode Fuzzy Hash: 15b1861ebdf8dcdd26e909d5e305a6190dc6f59cde9608180d4cd08a9552c0f0
Instruction Fuzzy Hash: 72318C75510208AFEB149F24EC8CB6D7FA9BB61311F108455FA09DB191E7B49E48AF60

Function 00542C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00542C94

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 00542CA0
_free.LIBCMT ref: 00542CAB
_free.LIBCMT ref: 00542CB6
_free.LIBCMT ref: 00542CC1
_free.LIBCMT ref: 00542CCC
_free.LIBCMT ref: 00542CD7
_free.LIBCMT ref: 00542CE2
_free.LIBCMT ref: 00542CED
_free.LIBCMT ref: 00542CFB

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cb3ab96e268b8459a62f3b421e9f9936c1086efe2ad853fe3524ff0753285d84
Instruction ID: f2b647019b5027eac990fe8d3f060b4f816d861e06b3150a55d4c80a2b105c10
Opcode Fuzzy Hash: cb3ab96e268b8459a62f3b421e9f9936c1086efe2ad853fe3524ff0753285d84
Instruction Fuzzy Hash: DF11C076100119AFDB02EF95D886CDD3FB9FF45354F9144A0FA489B222DA31EE909B90

Function 00587DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00587FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00587FC1
GetFileAttributesW.KERNEL32(?), ref: 00587FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00588005
SetCurrentDirectoryW.KERNEL32(?), ref: 00588017
SetCurrentDirectoryW.KERNEL32(?), ref: 00588060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005880B0

Strings

*.*, xrefs: 00588066

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 9a0e5fb5a9e78eb493b66398a5808f62e9e483d66d19b361993f78d6c71b18f5
Instruction ID: 726c6ec4c52bc6c92eed617e448c41a757dd9d9d81981cf118759105984ed499
Opcode Fuzzy Hash: 9a0e5fb5a9e78eb493b66398a5808f62e9e483d66d19b361993f78d6c71b18f5
Instruction Fuzzy Hash: 9A81A3725082059BDB20FF64C4489BABBE8BF89310F644C5AFC85E7250EB35DD49CB52

Function 00515BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00515C7A

Part of subcall function 00515D0A: GetClientRect.USER32(?,?), ref: 00515D30
Part of subcall function 00515D0A: GetWindowRect.USER32(?,?), ref: 00515D71
Part of subcall function 00515D0A: ScreenToClient.USER32(?,?), ref: 00515D99

GetDC.USER32 ref: 005546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00554708
SelectObject.GDI32(00000000,00000000), ref: 00554716
SelectObject.GDI32(00000000,00000000), ref: 0055472B
ReleaseDC.USER32(?,00000000), ref: 00554733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005547C4

Strings

U, xrefs: 00554693

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 606f041d2381b20eb5b647d1b542239d452e97a4a0ec60724ef10875ce4f5126
Instruction ID: 6a7442baf897b7f100ead10c7b58d3ad4d9cbc5dbde225e092372e4ab66aa7f3
Opcode Fuzzy Hash: 606f041d2381b20eb5b647d1b542239d452e97a4a0ec60724ef10875ce4f5126
Instruction Fuzzy Hash: 1671DF34400205DFCF258F64C998AEA3FB5FF8A31AF14426AED555A266D7309CCADF50

Function 0058359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005835E4

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

LoadStringW.USER32(005E2390,?,00000FFF,?), ref: 0058360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00583742
"%s" (%d) : ==> %s:%s%s, xrefs: 00583724
^ ERROR, xrefs: 005836C9
Line %d (File "%s"):, xrefs: 0058366B
Error: , xrefs: 005836EF

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: f740b3057fc6fac08b1663d068b5317b56afb3e53c0ca98e25f1983bee0a3a34
Instruction ID: 01a258eaff1156b73ec1966dd901fbecae17bf0f3fcd8015bee7ecbafa8b6670
Opcode Fuzzy Hash: f740b3057fc6fac08b1663d068b5317b56afb3e53c0ca98e25f1983bee0a3a34
Instruction Fuzzy Hash: 0C516B7180020ABAEF14EBA0DC9AEEDBF38FF54700F144525F515721A1EB306B99DBA0

Function 0058C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0058C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0058C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0058C2CA
GetLastError.KERNEL32 ref: 0058C322
SetEvent.KERNEL32(?), ref: 0058C336
InternetCloseHandle.WININET(00000000), ref: 0058C341

Strings

, xrefs: 0058C2BB

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 98d7d3055c148619287e8690006587210a279fd393ab516df3775419a9338fdd
Instruction ID: 7790a83be29ec81c6077cf97ffaada539440bc72bc764fc059f9443af2f9ae57
Opcode Fuzzy Hash: 98d7d3055c148619287e8690006587210a279fd393ab516df3775419a9338fdd
Instruction Fuzzy Hash: 64317FB1500604AFD721AF649C88AAB7FFCFB59744F10891EF886A2240DB34DD099B70

Function 0057989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00553AAF,?,?,Bad directive syntax error,005ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005798BC
LoadStringW.USER32(00000000,?,00553AAF,?), ref: 005798C3

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00579987

Strings

Line %d:, xrefs: 00579912
%s (%d) : ==> %s.: %s %s, xrefs: 005798F1
Error: , xrefs: 00579955
., xrefs: 0057996D
Line %d (File "%s"):, xrefs: 0057992D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: cf11680bd29c287107490eb45fe4780d5aca51db3f22cd620debb7e661b1d1b6
Instruction ID: 3543e181bf1943ab2dec9d3879c9b890ed7313b46a79ed3319eb8e9b89e6397c
Opcode Fuzzy Hash: cf11680bd29c287107490eb45fe4780d5aca51db3f22cd620debb7e661b1d1b6
Instruction Fuzzy Hash: 3D21943180021BBBDF11AF90DC5AEED7F75FF54300F044826F519620A1EB71AA58EB60

Function 0057209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0057214D

Strings

smallicons, xrefs: 00572115
list, xrefs: 0057212F
largeicons, xrefs: 005720E1
details, xrefs: 005720FB
SHELLDLL_DefView, xrefs: 005720CC

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: e8a184e5a12ad1e1daeace80f8dfb6591ca979f161a6249e322417ef7e8af23c
Instruction ID: e24e2ee8d6ef4f15f5b1a9a8917e5d0e8b7af0ecbfbba80c76c1da46cb71f507
Opcode Fuzzy Hash: e8a184e5a12ad1e1daeace80f8dfb6591ca979f161a6249e322417ef7e8af23c
Instruction Fuzzy Hash: 9C11597A288307BAF6116229FC0BDA63F9CFB15324F20401BFB09A50D1FE716841BA14

Function 0054CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0054CEB7
_free.LIBCMT ref: 0054CF22
_free.LIBCMT ref: 0054CF48
_free.LIBCMT ref: 0054CF71
_free.LIBCMT ref: 0054CFA9
_free.LIBCMT ref: 0054CFDA
_free.LIBCMT ref: 0054D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0054D09C
_free.LIBCMT ref: 0054D0B5

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 35c5133244bc30a076be77cc1833b6e730a0e82258f093994e484aa6b43f7f69
Instruction ID: 0c4c8da63d30988a50988f37c33bf85e18892c3feaad86dce66b3f4f2a063d49
Opcode Fuzzy Hash: 35c5133244bc30a076be77cc1833b6e730a0e82258f093994e484aa6b43f7f69
Instruction Fuzzy Hash: FF618771905312BFDB25AFB49C89AEE7FA5FF81318F04016DF9449B282EB359C489760

Function 005A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 005A5186
ShowWindow.USER32(?,00000000), ref: 005A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 005A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 005A51D1

Part of subcall function 005A6FBA: DeleteObject.GDI32(00000000), ref: 005A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 005A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 005A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 005A5296

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: af91222d32c97ee58d4a0023129f4cb45ae7f0fa1f0a1f341734ad401d6bbe70
Instruction ID: fe7235efff2c23d5327d5b586f3a8d11d5ceac297eb2c576746703b80b7ff7a7
Opcode Fuzzy Hash: af91222d32c97ee58d4a0023129f4cb45ae7f0fa1f0a1f341734ad401d6bbe70
Instruction Fuzzy Hash: 9B517A34A40A09AEEF249F24DC4AFEC3FA5FF57321F144011F6559A2E1E775A984EB40

Function 00528B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00566890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00528874,00000000,00000000,00000000,000000FF,00000000), ref: 00566901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0056691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00528874,00000000,00000000,00000000,000000FF,00000000), ref: 0056692D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 66e45f2eea7abb2dca242a926c55c8933cb1b674fe93f8eb8f41bae400671fa7
Instruction ID: 5e0b6f25aa68993db56f952f6c905eec3b766dfcd013a009b4c7cdb023e2328e
Opcode Fuzzy Hash: 66e45f2eea7abb2dca242a926c55c8933cb1b674fe93f8eb8f41bae400671fa7
Instruction Fuzzy Hash: B2519570A00609AFDB20CF64DC95BAA3FB5FF9A710F104518F9529B2E0DB70E990EB40

Function 0058C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0058C182
GetLastError.KERNEL32 ref: 0058C195
SetEvent.KERNEL32(?), ref: 0058C1A9

Part of subcall function 0058C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0058C272
Part of subcall function 0058C253: GetLastError.KERNEL32 ref: 0058C322
Part of subcall function 0058C253: SetEvent.KERNEL32(?), ref: 0058C336
Part of subcall function 0058C253: InternetCloseHandle.WININET(00000000), ref: 0058C341

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cfdfb2378b12210eccc5a6195d0abf4f229cbddccc759d77990079f3f2e33ecd
Instruction ID: ef4ebc6702325274392a1a6c707f3af78ee6a66c85632095370511702284238e
Opcode Fuzzy Hash: cfdfb2378b12210eccc5a6195d0abf4f229cbddccc759d77990079f3f2e33ecd
Instruction Fuzzy Hash: 46318075200601AFDB21AFB5DC48A66BFF9FF69300B00441DF997A2650DB31E814EB70

Function 005725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00573A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00573A57
Part of subcall function 00573A3D: GetCurrentThreadId.KERNEL32 ref: 00573A5E
Part of subcall function 00573A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005725B3), ref: 00573A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00572601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00572605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0057260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00572623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00572627

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e960b58145b9f48b7a03b2e116e9c117e650d9a739f5235b9cb96ab3c7203277
Instruction ID: 6c4d37684ed6d9e3cd017629e0a6cd174e5f0399fcc14a979a4e7f699d898d2d
Opcode Fuzzy Hash: e960b58145b9f48b7a03b2e116e9c117e650d9a739f5235b9cb96ab3c7203277
Instruction Fuzzy Hash: 6E01D431390210BBFB1067699C8EF593F59EB9EB12F104001F318AF0D1C9E22449EA69

Function 00571803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00571449,?,?,00000000), ref: 0057180C
HeapAlloc.KERNEL32(00000000,?,00571449,?,?,00000000), ref: 00571813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00571449,?,?,00000000), ref: 00571828
GetCurrentProcess.KERNEL32(?,00000000,?,00571449,?,?,00000000), ref: 00571830
DuplicateHandle.KERNEL32(00000000,?,00571449,?,?,00000000), ref: 00571833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00571449,?,?,00000000), ref: 00571843
GetCurrentProcess.KERNEL32(00571449,00000000,?,00571449,?,?,00000000), ref: 0057184B
DuplicateHandle.KERNEL32(00000000,?,00571449,?,?,00000000), ref: 0057184E
CreateThread.KERNEL32(00000000,00000000,00571874,00000000,00000000,00000000), ref: 00571868

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 09e8468a245220e03fdfcd945d78faa8b3f697f1e8659289c2849273603031c6
Instruction ID: 46fec11f13f0ccf2d9f6bbdd5053c8cba2646cac1bf36057acf69a3238f3dc8e
Opcode Fuzzy Hash: 09e8468a245220e03fdfcd945d78faa8b3f697f1e8659289c2849273603031c6
Instruction Fuzzy Hash: 5701BBB5340308BFE710ABA5DC4DF6B3FACEB9AB11F008411FA05DB1A1DA709804DB20

Function 00543E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00543F0B
__alldvrm.LIBCMT ref: 0054410C
__alldvrm.LIBCMT ref: 0054412E

Strings

}}S, xrefs: 00543E96, 00543EF1, 00543F0A, 00544090
}}S, xrefs: 005440CD
}}S, xrefs: 00543E8A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}S$}}S$}}S
API String ID: 1036877536-895446879
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 1f58a2e901280b91e106e65eba6a01f1f909075f1f2f293f49a04c21a9fdcb07
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 8DA13671D407869FEB25CE18C8957EEBFF4FF61358F18416EE5859B282C2388985CB50

Function 0059A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0057D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0057D501
Part of subcall function 0057D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0057D50F
Part of subcall function 0057D4DC: CloseHandle.KERNELBASE(00000000), ref: 0057D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0059A16D
GetLastError.KERNEL32 ref: 0059A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0059A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0059A268
GetLastError.KERNEL32(00000000), ref: 0059A273
CloseHandle.KERNEL32(00000000), ref: 0059A2C4

Strings

SeDebugPrivilege, xrefs: 0059A18F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: da3ba646be0e545e3d66cd61f8e36c9710ed2ba4b790b89caa0407dddb526da4
Instruction ID: e0704fa6ca13c87619b056634e1cb1450a27cccd01a9f3c3f23e821b2de89b9e
Opcode Fuzzy Hash: da3ba646be0e545e3d66cd61f8e36c9710ed2ba4b790b89caa0407dddb526da4
Instruction Fuzzy Hash: 5D615E342042429FEB10DF18C498F55BFA1BF94318F14849CE4664B7A2C776ED45CBD2

Function 005A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005A3954
_wcslen.LIBCMT ref: 005A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005A39F4

Strings

SysListView32, xrefs: 005A38F7

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: f01334a2a6e1618b05379d73bd6a9e98ff72a4ae3d3d6b655d43d670c74be508
Instruction ID: a1f9f8aba6b8e4cb58b309b81d8268a2f0420fcd9578ca1bfad196a03ca267d3
Opcode Fuzzy Hash: f01334a2a6e1618b05379d73bd6a9e98ff72a4ae3d3d6b655d43d670c74be508
Instruction Fuzzy Hash: A641D071A00219ABEB21DF64CC49BEE7FA9FF49354F100526F948E7281D7B49E84CB90

Function 0057BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0057BCFD
IsMenu.USER32(00000000), ref: 0057BD1D
CreatePopupMenu.USER32 ref: 0057BD53
GetMenuItemCount.USER32(01585EF0), ref: 0057BDA4
InsertMenuItemW.USER32(01585EF0,?,00000001,00000030), ref: 0057BDCC

Strings

2, xrefs: 0057BD37
0, xrefs: 0057BCA8

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 494da3f4b1aa77ae215433e21e77289b6ffb16378bea6289337b786cb5ad49f7
Instruction ID: 2c2c97a1fb7455183e1d6cc62613661665a13b37a265714c6c8adc8c2d7d318f
Opcode Fuzzy Hash: 494da3f4b1aa77ae215433e21e77289b6ffb16378bea6289337b786cb5ad49f7
Instruction Fuzzy Hash: 72519F70A002059FEB21CFA8E888BAEBFF4BF55314F14C519E419D7291E7719944EB51

Function 00532D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00532D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00532D53
_ValidateLocalCookies.LIBCMT ref: 00532DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00532E0C
_ValidateLocalCookies.LIBCMT ref: 00532E61

Strings

&HS, xrefs: 00532DFE, 00532E07, 00532E18
csm, xrefs: 00532DF6

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HS$csm
API String ID: 1170836740-2847240634
Opcode ID: 60946cf2c6352f6042e4c9637a5862af839fd061c5a36f7a07a9601b591cae74
Instruction ID: 0bea1da9764ef4f34922b89c5fa33763107bcb5945878550b89b573c13aae0ce
Opcode Fuzzy Hash: 60946cf2c6352f6042e4c9637a5862af839fd061c5a36f7a07a9601b591cae74
Instruction Fuzzy Hash: C841A434A01609EBCF10DF68C849A9EBFB5BF84324F148555E915AB392D731EE06CBD0

Function 0057C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0057C913

Strings

info, xrefs: 0057C8B4
question, xrefs: 0057C8CC
warning, xrefs: 0057C8FC
stop, xrefs: 0057C8E4
blank, xrefs: 0057C895

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ea2bc0b084ce332786ab556cd7c5520075d54c1e45639393e8a50dd1be2c80e2
Instruction ID: e212c30a210cf7aa27542c3ff9acd9c788ff0629e0f630f1785aae49e8fb743c
Opcode Fuzzy Hash: ea2bc0b084ce332786ab556cd7c5520075d54c1e45639393e8a50dd1be2c80e2
Instruction Fuzzy Hash: EE11EB3168930BBBA7119B54AC82CEA7F9CFF15754B10442FF608A6282D7707D417665

Function 0057DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0057DE42
gethostname.WSOCK32(?,00000100), ref: 0057DE5C
gethostbyname.WSOCK32(?), ref: 0057DE69
inet_ntoa.WSOCK32(?), ref: 0057DEAB
_strcat.LIBCMT ref: 0057DEB9
WSACleanup.WSOCK32 ref: 0057DEDE

Strings

0.0.0.0, xrefs: 0057DE87

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: b83384a230a6af87d7241cc0e1d511fd6d7426432f0b982ddb572b56f8bbdc2b
Instruction ID: ee75dfb84620e70e6cfd8f51af7230fc58ee946da8e1a084ae9e42d6b3fa5ff5
Opcode Fuzzy Hash: b83384a230a6af87d7241cc0e1d511fd6d7426432f0b982ddb572b56f8bbdc2b
Instruction Fuzzy Hash: AE110A72504115AFDB21AB20AC0EEDE7FBCFF55711F004169F40996091EF759A81AA70

Function 0057ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0057ED2A
_wcslen.LIBCMT ref: 0057ED3B
_wcslen.LIBCMT ref: 0057ED79
_wcslen.LIBCMT ref: 0057EDAF
_wcslen.LIBCMT ref: 0057EDDF
_wcslen.LIBCMT ref: 0057EDEF
_wcslen.LIBCMT ref: 0057EE2B
_wcslen.LIBCMT ref: 0057EE5A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 91c284f149294394141a96bf077773e97512e10061c01fc198e0c790f3d07584
Instruction ID: fd9260e992b1fcecdb2533b2e0b1c8fb117d3ad969f22688c65896332eea0067
Opcode Fuzzy Hash: 91c284f149294394141a96bf077773e97512e10061c01fc198e0c790f3d07584
Instruction Fuzzy Hash: 80418466C1021975CB11EBB4988EACF7BBCBF89710F508466F518E3122FB34E255C7A5

Function 0052F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 0052F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 0056F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 0056F454

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 555f59884f08ed50073d300ce7ac90860e5ff693b2ecf81badc99e52699361ac
Instruction ID: 07321a2e70d98a1bac38aea76dd3c6b95a3245066138fbfcc962061d945a9381
Opcode Fuzzy Hash: 555f59884f08ed50073d300ce7ac90860e5ff693b2ecf81badc99e52699361ac
Instruction Fuzzy Hash: FB410B31608690BAC7398B2DF88872A7FB1BF97314F14483CE087576E1D631A8C4DB11

Function 005A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005A2D1B
GetDC.USER32(00000000), ref: 005A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 005A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 005A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005A2DE1

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 826aeedad7eb1065195f62f79de3374bf1494445f255d6e05f40f3e10ce37e8e
Instruction ID: b6d39b8348042ce4923334a8c5d0a1ebf2a7551c46a4fdac2a551361e7c2b3a7
Opcode Fuzzy Hash: 826aeedad7eb1065195f62f79de3374bf1494445f255d6e05f40f3e10ce37e8e
Instruction Fuzzy Hash: 92316972201214BBEB218F548C8AFEB3FA9FB1A715F044055FE089A292C6759C55CBA4

Function 00575622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00575637
_memcmp.LIBVCRUNTIME ref: 00575659
_memcmp.LIBVCRUNTIME ref: 00575671
_memcmp.LIBVCRUNTIME ref: 00575684
_memcmp.LIBVCRUNTIME ref: 0057569E
_memcmp.LIBVCRUNTIME ref: 005756B1
_memcmp.LIBVCRUNTIME ref: 005756C9
_memcmp.LIBVCRUNTIME ref: 005756E4

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 70b45551231ea2c49f2181fb741abaf3fd90eb8826f5753e55158a43b827ec74
Instruction ID: ce476ce3a50280507b72a00b44a597f3a5bb3df3f37a3004d0808bb695d88dfd
Opcode Fuzzy Hash: 70b45551231ea2c49f2181fb741abaf3fd90eb8826f5753e55158a43b827ec74
Instruction Fuzzy Hash: 82212961644E0A77D2185521AD96FFE3F5CFF61394F448420FD0E9A581FBA0EE1092E9

Function 00594FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0059502E, 00595383
Not an Object type, xrefs: 00595007

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5a56291e7cb7dc02fb1611ac729ea5b451d6355270a925ecd4a4f7b9ac67e684
Instruction ID: 4994603213440e1249d98e5c545af81e94d688fc66b64a5b5c8d9e703bc23fe2
Opcode Fuzzy Hash: 5a56291e7cb7dc02fb1611ac729ea5b451d6355270a925ecd4a4f7b9ac67e684
Instruction Fuzzy Hash: A9D1E271A0060AAFDF11CFA8C885FAEBBB5FF48344F148469E915AB281E770DD55CB90

Function 00551522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 005515CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00551651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005516E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005516FB

Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00551777
__freea.LIBCMT ref: 005517A2
__freea.LIBCMT ref: 005517AE

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: e8304211e53872cf78084dfc1e33bd3c4004e3408b64d64a4d2f45e1bf780cc9
Instruction ID: c04c13829556676bdde93f596624673d63ad07e03a4ba3af2b3dd2827bf6d391
Opcode Fuzzy Hash: e8304211e53872cf78084dfc1e33bd3c4004e3408b64d64a4d2f45e1bf780cc9
Instruction Fuzzy Hash: 9D91C671E10A165ADB208E78C8A5BEE7FB5FF49315F18055AEC02E7141EB35DC48CB68

Function 00594523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00594648
VariantInit.OLEAUT32(?), ref: 00594749
VariantClear.OLEAUT32(?), ref: 00594753
VariantClear.OLEAUT32(?), ref: 005947B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0059472C
Null Object assignment in FOR..IN loop, xrefs: 005945D8, 00594706, 005947BE

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 394316b21b43a62c5a4bf4c2d46862402d16557e59365ab99ad4b497214932e2
Instruction ID: 41213f7b4867b2642b7d579067c4a1d108a3a7272f84ede0c31922d5a4a1301b
Opcode Fuzzy Hash: 394316b21b43a62c5a4bf4c2d46862402d16557e59365ab99ad4b497214932e2
Instruction Fuzzy Hash: B5917E71A00219ABDF24CFA4D848FAEBFB8FF46715F108559E505AB280D7709D46CFA0

Function 00581187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0058125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00581284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0058135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00581430

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 148ef1dbce5227e56b34e09841ee106e26920361c44d50065e1b0d91fa047f87
Instruction ID: de43210863cf6dd09675dc264b1f14575ccda69dbb8db402c8801cd81d3bf2c4
Opcode Fuzzy Hash: 148ef1dbce5227e56b34e09841ee106e26920361c44d50065e1b0d91fa047f87
Instruction Fuzzy Hash: 7F91E175A006199FDB00EF94C889BBEBFB9FF85311F104429E901FB291D774A946CB98

Function 0052948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 83f3c22fb306f6be88ca3d7481be7fa10cefbf19928e3787af2bff1dfcc73a85
Instruction ID: 3cb3b983fbfa0f9e69b899443e4a6e3a1e498c1d3afaa14e7ea96eee4cdfe8c9
Opcode Fuzzy Hash: 83f3c22fb306f6be88ca3d7481be7fa10cefbf19928e3787af2bff1dfcc73a85
Instruction Fuzzy Hash: 46910671E00219AFCB14CFA9D888AEEBFB8FF4A320F144555E515B7291D774A941CBA0

Function 00593947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0059396B
CharUpperBuffW.USER32(?,?), ref: 00593A7A
_wcslen.LIBCMT ref: 00593A8A
VariantClear.OLEAUT32(?), ref: 00593C1F

Part of subcall function 00580CDF: VariantInit.OLEAUT32(00000000), ref: 00580D1F
Part of subcall function 00580CDF: VariantCopy.OLEAUT32(?,?), ref: 00580D28
Part of subcall function 00580CDF: VariantClear.OLEAUT32(?), ref: 00580D34

Strings

AUTOIT.ERROR, xrefs: 00593A80, 00593A85
Incorrect Parameter format, xrefs: 005939A6, 00593BA1

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: d1de0cec47eb83c8b73fed0c5b2871f7964d3ad9d0ec9e0fbbb42569a274da58
Instruction ID: dc642ee4a540e05f302883e646ca5ec0a6347dd7f755bcea8d9dc74af3d1ce25
Opcode Fuzzy Hash: d1de0cec47eb83c8b73fed0c5b2871f7964d3ad9d0ec9e0fbbb42569a274da58
Instruction Fuzzy Hash: 769136756083069FCB10EF28C49596ABBE5FF89314F14882DF88997351DB30EE45CB92

Function 00594BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0057000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?,?,0057035E), ref: 0057002B
Part of subcall function 0057000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570046
Part of subcall function 0057000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570054
Part of subcall function 0057000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?), ref: 00570064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00594C51
_wcslen.LIBCMT ref: 00594D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00594DCF
CoTaskMemFree.OLE32(?), ref: 00594DDA

Strings

NULL Pointer assignment, xrefs: 00594E23, 00594E52

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 0d877d0f5680bbfd8bc4b1a12b15a4521c267de10851dd49e1813de6f20319c2
Instruction ID: 60621b3f739e646e4d965c75ee284f12d03f14d315a975b55d033b0dbefe4138
Opcode Fuzzy Hash: 0d877d0f5680bbfd8bc4b1a12b15a4521c267de10851dd49e1813de6f20319c2
Instruction Fuzzy Hash: 80911671D0021AAFDF10DFA4D895EEEBBB8BF48310F108569E919A7241DB309E45CF60

Function 005A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005A2183
GetMenuItemCount.USER32(00000000), ref: 005A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005A21DD
_wcslen.LIBCMT ref: 005A2213
GetMenuItemID.USER32(?,?), ref: 005A224D
GetSubMenu.USER32(?,?), ref: 005A225B

Part of subcall function 00573A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00573A57
Part of subcall function 00573A3D: GetCurrentThreadId.KERNEL32 ref: 00573A5E
Part of subcall function 00573A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005725B3), ref: 00573A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005A22E3

Part of subcall function 0057E97B: Sleep.KERNEL32 ref: 0057E9F3

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 75fcc24618413aeca1fe05da96384af7efdc3be5f7f2bfa15d60330d2180b974
Instruction ID: c20852dbd681ee844113cfb4df46e37ba3a5a5cefbeecbe0b2aa2c3e45403db4
Opcode Fuzzy Hash: 75fcc24618413aeca1fe05da96384af7efdc3be5f7f2bfa15d60330d2180b974
Instruction Fuzzy Hash: 55714B75A00215AFCB10DF68C846AAEBFF5BF8A310F148469E916AB351DB34ED418B90

Function 005A7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01585F90), ref: 005A7F37
IsWindowEnabled.USER32(01585F90), ref: 005A7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 005A801E
SendMessageW.USER32(01585F90,000000B0,?,?), ref: 005A8051
IsDlgButtonChecked.USER32(?,?), ref: 005A8089
GetWindowLongW.USER32(01585F90,000000EC), ref: 005A80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005A80C3

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: d87aec16feb92479b5353dc36a41eb92670cc3dde134ae5ce6792a76c3e342d5
Instruction ID: e6b27c16929c0c9da5fd5348c41c6e9a936cb2a796b9d50470e2dde8bed12b99
Opcode Fuzzy Hash: d87aec16feb92479b5353dc36a41eb92670cc3dde134ae5ce6792a76c3e342d5
Instruction Fuzzy Hash: 1771AB34608248AFEB219F64CC88FBEBFB9FF5B300F144459E95597261CB31AA44DB20

Function 0057AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0057AEF9
GetKeyboardState.USER32(?), ref: 0057AF0E
SetKeyboardState.USER32(?), ref: 0057AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0057AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0057AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0057AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0057B020

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4f1173effa0c305a0a07e059feb70ada640a78b3b7c93d56ff0aa68b6667f26a
Instruction ID: 7be483fbd37eb13ca928255f13004dd394cd7099eaf4d2ad01014ca44ad8056f
Opcode Fuzzy Hash: 4f1173effa0c305a0a07e059feb70ada640a78b3b7c93d56ff0aa68b6667f26a
Instruction Fuzzy Hash: 4351D1A06087D53DFB3682349C49BBEBEA96B46304F08C589E1DD958C3D398ACC8E751

Function 0057ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0057AD19
GetKeyboardState.USER32(?), ref: 0057AD2E
SetKeyboardState.USER32(?), ref: 0057AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0057ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0057ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0057AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0057AE38

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c43deac456268518980e2d445fc184cb9d67f655e4d90ae42bd94ce82bec954f
Instruction ID: 2a5d4e7a1b1f96e325617f309cc14afbe8a8c276494c597c50560d8cea99cd91
Opcode Fuzzy Hash: c43deac456268518980e2d445fc184cb9d67f655e4d90ae42bd94ce82bec954f
Instruction Fuzzy Hash: 8D51B3A15047D53DFB3783249C55BBE7EA97B86300F08C589E5DD868C2D294EC88F762

Function 0054542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00553CD6,?,?,?,?,?,?,?,?,00545BA3,?,?,00553CD6,?,?), ref: 00545470
__fassign.LIBCMT ref: 005454EB
__fassign.LIBCMT ref: 00545506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00553CD6,00000005,00000000,00000000), ref: 0054552C
WriteFile.KERNEL32(?,00553CD6,00000000,00545BA3,00000000,?,?,?,?,?,?,?,?,?,00545BA3,?), ref: 0054554B
WriteFile.KERNEL32(?,?,00000001,00545BA3,00000000,?,?,?,?,?,?,?,?,?,00545BA3,?), ref: 00545584

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 682d5176a5f3b3f1c0d048d993e3aceda236afee3b24c48ac106d56ed995fb66
Instruction ID: 24808c6eb1eebcecf855a58c8dca5a9990f6fc865d75660e9bc5a7327662084e
Opcode Fuzzy Hash: 682d5176a5f3b3f1c0d048d993e3aceda236afee3b24c48ac106d56ed995fb66
Instruction Fuzzy Hash: 4B51E270A00649AFDB11CFA8D885AEEBFF9FF09304F14451AF955E7292E7309A41CB60

Function 005910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0059304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0059307A
Part of subcall function 0059304E: _wcslen.LIBCMT ref: 0059309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00591112
WSAGetLastError.WSOCK32 ref: 00591121
WSAGetLastError.WSOCK32 ref: 005911C9
closesocket.WSOCK32(00000000), ref: 005911F9

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 52c1d0984418bdefbaf55567892f54968910bd33872977c18160b35f4cdbc218
Instruction ID: 04beafee710abd91a90cd2a77743609229ea6634105e9c3ca98ffbced2de8dcd
Opcode Fuzzy Hash: 52c1d0984418bdefbaf55567892f54968910bd33872977c18160b35f4cdbc218
Instruction Fuzzy Hash: 7C412531600616AFEB109F14C888BA9BFE9FF85324F148059FD169B291C774ED85DBE4

Function 0057CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0057CF22,?), ref: 0057DDFD

Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0057CF22,?), ref: 0057DE16

lstrcmpiW.KERNEL32(?,?), ref: 0057CF45
MoveFileW.KERNEL32(?,?), ref: 0057CF7F
_wcslen.LIBCMT ref: 0057D005
_wcslen.LIBCMT ref: 0057D01B
SHFileOperationW.SHELL32(?), ref: 0057D061

Strings

\*.*, xrefs: 0057CFF3

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: b2adf41d0e0980f70a79bc6dd2825a0315901cbbea0c00f4b0856cc63b38b3cf
Instruction ID: ada66f8667195852e43d9519554c622855c0565a0c124dc18f69882a95181e2f
Opcode Fuzzy Hash: b2adf41d0e0980f70a79bc6dd2825a0315901cbbea0c00f4b0856cc63b38b3cf
Instruction Fuzzy Hash: FA4158719052195FDF12EFA4D985BDD7FB8BF49340F0040E6E509E7141EA34A688DB50

Function 005A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 005A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 005A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 005A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 005A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 005A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 005A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A2F0B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a10d1cbca326467a2bf8d54234813347081dd57b8fbb8e05d43d1b0f40771c60
Instruction ID: 1ece014ebc33cc210ac4a3980a161cae4336022ef94b4a8af5ac0834027a5871
Opcode Fuzzy Hash: a10d1cbca326467a2bf8d54234813347081dd57b8fbb8e05d43d1b0f40771c60
Instruction Fuzzy Hash: EC31E230604150AFDB25CF5CDC86F693BE9FBAA710F150164F944CF2A2CB71A884EB41

Function 00577726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00577769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0057778F
SysAllocString.OLEAUT32(00000000), ref: 00577792
SysAllocString.OLEAUT32(?), ref: 005777B0
SysFreeString.OLEAUT32(?), ref: 005777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005777DE
SysAllocString.OLEAUT32(?), ref: 005777EC

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9b357f3757675ea6193aa3eb07c3e6a6d1622eea56f768f78aff5107d63e2e52
Instruction ID: 2c3f50426a146e8d2bc7d00069235f1cea404695fe4d317a572107786424b804
Opcode Fuzzy Hash: 9b357f3757675ea6193aa3eb07c3e6a6d1622eea56f768f78aff5107d63e2e52
Instruction Fuzzy Hash: CA21AE7660421DAFDF14DFA8EC88CBB7BACFB0E3647008425BA18DB190D670DC469764

Function 005777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00577842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00577868
SysAllocString.OLEAUT32(00000000), ref: 0057786B
SysAllocString.OLEAUT32 ref: 0057788C
SysFreeString.OLEAUT32 ref: 00577895
StringFromGUID2.OLE32(?,?,00000028), ref: 005778AF
SysAllocString.OLEAUT32(?), ref: 005778BD

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2353690a7d64af4df6c91fdc47f123bc3805bf443831cf0f3e37044705d9dfbe
Instruction ID: f04f6c16220ee9e93ed60939c5d961383f60e93ca6d7507fa7efb3135eb97a5d
Opcode Fuzzy Hash: 2353690a7d64af4df6c91fdc47f123bc3805bf443831cf0f3e37044705d9dfbe
Instruction Fuzzy Hash: A0215E31608219AF9F109BA8EC8CDBA7BECFB0D7607108125B919CB2A1DA74DC45DB65

Function 005804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0058052E

Strings

nul, xrefs: 00580567

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9163fb88ef69ad07d9bcbf2d9abde371c666f0f824b76126871922de985afc78
Instruction ID: 9c7d3147b386a8114e02b5750a2c6f5bd12c813dd4f1ddfa126cea67167ce39d
Opcode Fuzzy Hash: 9163fb88ef69ad07d9bcbf2d9abde371c666f0f824b76126871922de985afc78
Instruction Fuzzy Hash: 90212C75600305AFDF60AF69D844A9A7FE4BF55724F204A19ECA1E62E0E7709948DF30

Function 005805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00580601

Strings

nul, xrefs: 00580639

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 469c7f529e6904b28756ad76fc6052d83c925d50faf29598e57948f3ca456fbc
Instruction ID: e5c723a863d6c6fe7cf82ad9c551b56497688e16fb38169c5e756eea4dd4cab2
Opcode Fuzzy Hash: 469c7f529e6904b28756ad76fc6052d83c925d50faf29598e57948f3ca456fbc
Instruction Fuzzy Hash: AB2153755003059FDB60AF6A9C04A6A7FE4BF95720F205B19FCA1F72E0E7709969CB20

Function 005A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0051600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0051604C
Part of subcall function 0051600E: GetStockObject.GDI32(00000011), ref: 00516060
Part of subcall function 0051600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005A4145

Strings

Msctls_Progress32, xrefs: 005A40E3

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 12330973ad5a0c88b0ba4e5418dedbe544a927d7a456d07af947f54c5f628b4f
Instruction ID: cb4d0cc8cb859647043195d014e59a02076571dedb0c9a3cb7cb2736a4013ce4
Opcode Fuzzy Hash: 12330973ad5a0c88b0ba4e5418dedbe544a927d7a456d07af947f54c5f628b4f
Instruction Fuzzy Hash: 8311B6B114011D7EEF118FA4CC85EEB7F5DFF59798F004111B618A6150C6729C61DBA4

Function 0054D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0054D7A3: _free.LIBCMT ref: 0054D7CC

_free.LIBCMT ref: 0054D82D

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 0054D838
_free.LIBCMT ref: 0054D843
_free.LIBCMT ref: 0054D897
_free.LIBCMT ref: 0054D8A2
_free.LIBCMT ref: 0054D8AD
_free.LIBCMT ref: 0054D8B8

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 417ec84ad38db8e74e8797b67926e58fb58d938e5b93832e5d11f6772c22c25f
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 1B114F71540B15ABE921BFB1CC4BFCB7FFCBF80704F800825B29DA6192DA79B5454660

Function 0057DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0057DA74
LoadStringW.USER32(00000000), ref: 0057DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0057DA91
LoadStringW.USER32(00000000), ref: 0057DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0057DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0057DAB9

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a3e50674b9392eec5578a4a4c1b0e4618bff2f7d6d3b45e7e0f1088cc93f5f71
Instruction ID: 47a6e13620e782190c6b3c9374313eeff20332fda4825a87478aa119a98b56a1
Opcode Fuzzy Hash: a3e50674b9392eec5578a4a4c1b0e4618bff2f7d6d3b45e7e0f1088cc93f5f71
Instruction Fuzzy Hash: 560167F25002087FEB10D7A49D89EEB3BBCFB05301F404456B709E2041E6749E849F74

Function 0058096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(01583958,01583958), ref: 0058097B
EnterCriticalSection.KERNEL32(01583938,00000000), ref: 0058098D
TerminateThread.KERNEL32(?,000001F6), ref: 0058099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 005809A9
CloseHandle.KERNEL32(?), ref: 005809B8
InterlockedExchange.KERNEL32(01583958,000001F6), ref: 005809C8
LeaveCriticalSection.KERNEL32(01583938), ref: 005809CF

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 66175c213383191e2dcd659fa7aa0d598061f62dae75511bcaf649f8666eeec4
Instruction ID: 0b7a1e224bf35d8a7f398d5ecd0e6b4f17d5088d86843c90ea5afdf2fb671657
Opcode Fuzzy Hash: 66175c213383191e2dcd659fa7aa0d598061f62dae75511bcaf649f8666eeec4
Instruction Fuzzy Hash: 57F03C32542A02BBD7415FA4EE8CBE6BF39FF12702F402025F202A18A0CB749469DF90

Function 00515D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00515D30
GetWindowRect.USER32(?,?), ref: 00515D71
ScreenToClient.USER32(?,?), ref: 00515D99
GetClientRect.USER32(?,?), ref: 00515ED7
GetWindowRect.USER32(?,?), ref: 00515EF8

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 55ba09df899d0c638a916fd0e56a3c414496e136664193bddbebce17eb8d1f6b
Instruction ID: c7d7fc1143cd14310f257dc9f45e312d369d90796f03a5c7a261fc8d267bacc6
Opcode Fuzzy Hash: 55ba09df899d0c638a916fd0e56a3c414496e136664193bddbebce17eb8d1f6b
Instruction Fuzzy Hash: 92B17C34A0074ADBDB10CFA8C4807EEBBF5FF58314F14891AE8A9D7250E730AA95DB50

Function 005401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005400D6
__allrem.LIBCMT ref: 005400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0054010B
__allrem.LIBCMT ref: 00540122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00540140

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 8e23473207f57ba74eec83dc3c1ed4eca54db54e1dc9b9ce217cb2f8d7501e95
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: B081F871A007069BE724AE39CC49BAB7FE9BF91328F24553AF951D76C1E770D9008B50

Function 00591D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00593149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0059101C,00000000,?,?,00000000), ref: 00593195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00591DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00591DE1
WSAGetLastError.WSOCK32 ref: 00591DF2
inet_ntoa.WSOCK32(?), ref: 00591E8C
htons.WSOCK32(?,?,?,?,?), ref: 00591EDB
_strlen.LIBCMT ref: 00591F35

Part of subcall function 005739E8: _strlen.LIBCMT ref: 005739F2

Part of subcall function 00516D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0052CF58,?,?,?), ref: 00516DBA
Part of subcall function 00516D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0052CF58,?,?,?), ref: 00516DED

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 8f9a6a701176fa18ff937144c6a5171c0b45ed502b50bcc051bdb22cd0326915
Instruction ID: 2c453095c02d1d33421350a442251758ee16b73a13de28296ac07b33187f6ea4
Opcode Fuzzy Hash: 8f9a6a701176fa18ff937144c6a5171c0b45ed502b50bcc051bdb22cd0326915
Instruction Fuzzy Hash: 1DA1FF31104712AFDB14DB20C889E6A7FA5BFC4318F54894CF4565B2E2DB31ED86CB91

Function 005461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005382D9,005382D9,?,?,?,0054644F,00000001,00000001,8BE85006), ref: 00546258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0054644F,00000001,00000001,8BE85006,?,?,?), ref: 005462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005463D8
__freea.LIBCMT ref: 005463E5

Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

__freea.LIBCMT ref: 005463EE
__freea.LIBCMT ref: 00546413

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: aaab3657ba961c92df682226c7d01fa4ad07365ca3ccf535e5004d626b7b0eb4
Instruction ID: 3fbf251d5f23bc9fb632ed8b9185025db5f5fafee3f0279a8ec4fe322b68717f
Opcode Fuzzy Hash: aaab3657ba961c92df682226c7d01fa4ad07365ca3ccf535e5004d626b7b0eb4
Instruction Fuzzy Hash: 5751DE72600256ABEB258E64DC85FEF7FA9FB86718F144A29F805D7190DB34DC40C6A1

Function 0059BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059BD25
RegCloseKey.ADVAPI32(00000000), ref: 0059BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0059BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0059BDF3
RegCloseKey.ADVAPI32(?), ref: 0059BDFF

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 884fa420b0a8ffb9f1359db9e48005a25e23c0390b16d999c2e592ae6b24b825
Instruction ID: 2a9319274df48716c95288e4857821f2f203e22104ad1a171ec66022f79a0c6c
Opcode Fuzzy Hash: 884fa420b0a8ffb9f1359db9e48005a25e23c0390b16d999c2e592ae6b24b825
Instruction Fuzzy Hash: 7B819D30108242AFE714DF24D995E6ABFE9FF85308F14895CF4594B2A2DB31ED45CB92

Function 0056F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0056F7B9
SysAllocString.OLEAUT32(00000001), ref: 0056F860
VariantCopy.OLEAUT32(0056FA64,00000000), ref: 0056F889
VariantClear.OLEAUT32(0056FA64), ref: 0056F8AD
VariantCopy.OLEAUT32(0056FA64,00000000), ref: 0056F8B1
VariantClear.OLEAUT32(?), ref: 0056F8BB

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f817c579a5261397b4948ee04a2e17cf52ee271edbbce01a0ff72a991b5af2cd
Instruction ID: bd3130b51eb21b362942704d5d13f4857b70a6ea9e97e5f70fdf2f0b091cf2e1
Opcode Fuzzy Hash: f817c579a5261397b4948ee04a2e17cf52ee271edbbce01a0ff72a991b5af2cd
Instruction Fuzzy Hash: AA51C831E00311BBDF20AB65F899B69BFA9FF95310F245866E905DF291DB708C40C766

Function 0058910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005894E5
_wcslen.LIBCMT ref: 00589506
_wcslen.LIBCMT ref: 0058952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00589585

Strings

X, xrefs: 00589412

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 19390ebe71eea81c73e46538e88ebcf5df4d2ecad51e22a37f0245922fd46396
Instruction ID: 11df7cf4072da922e408185763d5ec414add65fba783ca5403043dd5de1535b1
Opcode Fuzzy Hash: 19390ebe71eea81c73e46538e88ebcf5df4d2ecad51e22a37f0245922fd46396
Instruction Fuzzy Hash: 51E1B5315043019FD714EF24C885AAEBBE4BFC5314F18896DF8999B2A2DB31ED45CB92

Function 0052920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

BeginPaint.USER32(?,?,?), ref: 00529241
GetWindowRect.USER32(?,?), ref: 005292A5
ScreenToClient.USER32(?,?), ref: 005292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005292D3
EndPaint.USER32(?,?,?,?,?), ref: 00529321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005671EA

Part of subcall function 00529339: BeginPath.GDI32(00000000), ref: 00529357

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 600491df042dabb187265537b9008f717c858d08481e37eaf564b22aa9983ebe
Instruction ID: 027379cd50156cfc62f615645239b1b77b58bb2120b6ee5cc23bfec4bf28e176
Opcode Fuzzy Hash: 600491df042dabb187265537b9008f717c858d08481e37eaf564b22aa9983ebe
Instruction Fuzzy Hash: C1419F31104255AFD710DF24D884FBA7FA8FFAA724F140629F994CB2E2C7309849EB61

Function 005807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0058080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00580847
EnterCriticalSection.KERNEL32(?), ref: 00580863
LeaveCriticalSection.KERNEL32(?), ref: 005808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00580921

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 07d0c3756413b901c071befae69357807687bdf318a6bf728e3e3d42e8ce51d8
Instruction ID: 4500ba0523c5062cea205dafcd198b214d5d59c943d0a2c7110aba8eaec8f3da
Opcode Fuzzy Hash: 07d0c3756413b901c071befae69357807687bdf318a6bf728e3e3d42e8ce51d8
Instruction Fuzzy Hash: 34415B71A00205EBDF55AF54EC85AAA7B78FF45310F1440B9ED00AA297DB30DE69DBA0

Function 005A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0056F3AB,00000000,?,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 005A824C
EnableWindow.USER32(?,00000000), ref: 005A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005A82D1
ShowWindow.USER32(?,00000004), ref: 005A82E5
EnableWindow.USER32(?,00000001), ref: 005A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005A832F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 302fec1ea4a281543b8c0a1868243c3f5b1eb525ff7c0e8d4391959ef76cc2c5
Instruction ID: 1e32dd9f8b9f24350eac1461971b1f38191ecfe6c4d8894e7d7143417267ca4d
Opcode Fuzzy Hash: 302fec1ea4a281543b8c0a1868243c3f5b1eb525ff7c0e8d4391959ef76cc2c5
Instruction Fuzzy Hash: BC419F34601A44AFDF25CF14DC99BB87FE0BF5BB14F1851A9E6488F2A2CB31A845DB50

Function 00574C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00574C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00574CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00574CEA
_wcslen.LIBCMT ref: 00574D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00574D10
_wcsstr.LIBVCRUNTIME ref: 00574D1A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 2e4df6f285bfb62b9a26b2e4f3074fbfab9d1a377dd5210a4ed884099a2ceef4
Instruction ID: ea13f0270ee074d96add9a742b390796300102f201a5ab985024bad39e9a3012
Opcode Fuzzy Hash: 2e4df6f285bfb62b9a26b2e4f3074fbfab9d1a377dd5210a4ed884099a2ceef4
Instruction Fuzzy Hash: BD21DA31204111BBEB269B39BC49E7B7FACEF46750F108079F809CE191EB61DC00ABA0

Function 0058581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2

_wcslen.LIBCMT ref: 0058587B
CoInitialize.OLE32(00000000), ref: 00585995
CoCreateInstance.OLE32(005AFCF8,00000000,00000001,005AFB68,?), ref: 005859AE
CoUninitialize.OLE32 ref: 005859CC

Strings

.lnk, xrefs: 00585876, 005858C1, 00585985

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 66add4af07420ba6520e94311120401a5537471fe4e827a8e4178f8d80feeec8
Instruction ID: df1f498cf2d8dc26ba8d104b54e7ceb7076030961fc1a982c014677c50aa6180
Opcode Fuzzy Hash: 66add4af07420ba6520e94311120401a5537471fe4e827a8e4178f8d80feeec8
Instruction Fuzzy Hash: 7DD155716046029FC714EF24C484A6ABBF6FF89715F14485DF88AAB361EB31EC45CB92

Function 0057175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00570FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00570FCA
Part of subcall function 00570FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00570FD6
Part of subcall function 00570FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00570FE5
Part of subcall function 00570FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00570FEC
Part of subcall function 00570FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00571002

GetLengthSid.ADVAPI32(?,00000000,00571335), ref: 005717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005717BA
HeapAlloc.KERNEL32(00000000), ref: 005717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005717DA
GetProcessHeap.KERNEL32(00000000,00000000,00571335), ref: 005717EE
HeapFree.KERNEL32(00000000), ref: 005717F5

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 4da0a6e0e45fd49973f8ec42e1f887c681cf1f5190ee6c258dc5d49234eb325e
Instruction ID: a306c3febc59018670b8c3e746feebefba4651decdf4236d2cc456a286eb8a99
Opcode Fuzzy Hash: 4da0a6e0e45fd49973f8ec42e1f887c681cf1f5190ee6c258dc5d49234eb325e
Instruction Fuzzy Hash: 7111BE71600605FFDB189FA8EC49BAE7FA9FB42355F108018F44597210C735A948EB64

Function 005714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00571506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00571515
CloseHandle.KERNEL32(00000004), ref: 00571520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0057154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00571563

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0c0604779c7198e041c0ac53323d7efa6ea176cf0264872020bb5f81644529f7
Instruction ID: 3de88d6edb35001512216c03d84204cd82d6485c888df2724c75c87a67a78cfc
Opcode Fuzzy Hash: 0c0604779c7198e041c0ac53323d7efa6ea176cf0264872020bb5f81644529f7
Instruction Fuzzy Hash: FF112972500209ABDF118F98ED49FDE7FAAFF49744F048059FA09A2160C3758E68EB64

Function 00533382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00533379,00532FE5), ref: 00533390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0053339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005333B7
SetLastError.KERNEL32(00000000,?,00533379,00532FE5), ref: 00533409

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: da4f61941faa9d26e96e8c38fd05f642471f7307f65e20dd5f66f99cd51ee374
Instruction ID: f693e8de9a1fddd44ff4ea10a9246f772a41f29b1619651dd54edb8fdbc2cff6
Opcode Fuzzy Hash: da4f61941faa9d26e96e8c38fd05f642471f7307f65e20dd5f66f99cd51ee374
Instruction Fuzzy Hash: 4201243320A313BEAB2527757C8E66B6F94FB65379F20862BF411812F0EF115D09E544

Function 00542D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00545686,00553CD6,?,00000000,?,00545B6A,?,?,?,?,?,0053E6D1,?,005D8A48), ref: 00542D78
_free.LIBCMT ref: 00542DAB
_free.LIBCMT ref: 00542DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0053E6D1,?,005D8A48,00000010,00514F4A,?,?,00000000,00553CD6), ref: 00542DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0053E6D1,?,005D8A48,00000010,00514F4A,?,?,00000000,00553CD6), ref: 00542DEC
_abort.LIBCMT ref: 00542DF2

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 62cfb83b7b5bef5b7d563da29e61da4aeff2f3a90bfebd958c39198c6cdece49
Instruction ID: f5cbab5f9bf341c041b5f3053ea48a15feefdc3825c3808692b893db0908a8b7
Opcode Fuzzy Hash: 62cfb83b7b5bef5b7d563da29e61da4aeff2f3a90bfebd958c39198c6cdece49
Instruction Fuzzy Hash: 02F0F935905A2227C72223356C0EBDA3E65BFD276CF640416F424921D1DE7088065120

Function 005A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00529639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00529693
Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296A2
Part of subcall function 00529639: BeginPath.GDI32(?), ref: 005296B9
Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 005A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 005A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 005A8A70
LineTo.GDI32(?,00000000,00000003), ref: 005A8A80
EndPath.GDI32(?), ref: 005A8A90
StrokePath.GDI32(?), ref: 005A8AA0

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 880811f625384f7cafed96dc88a10d03216ccd5bd4fa63b78743ad497293b7c0
Instruction ID: d6a9bafa926ed9261b32c204509212f39831f4894a095bc47e0e22db3f1a9880
Opcode Fuzzy Hash: 880811f625384f7cafed96dc88a10d03216ccd5bd4fa63b78743ad497293b7c0
Instruction Fuzzy Hash: 12110976000149FFDB129F90DC88EAE7FACFB1A350F008052BA199A1A1C7719D59EBA0

Function 005751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00575218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00575229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00575230
ReleaseDC.USER32(00000000,00000000), ref: 00575238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0057524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00575261

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ce413d83f2e67e5c5b2219b6865e6ddd81dea95bc3f1141dc53e6be5b01bbaae
Instruction ID: ad0b1388eaca1b18f430a971a13d0f30a7ef8ad6dc48fd6bf1e412b1780d21bf
Opcode Fuzzy Hash: ce413d83f2e67e5c5b2219b6865e6ddd81dea95bc3f1141dc53e6be5b01bbaae
Instruction Fuzzy Hash: 34014F75E00719BBEB109FA59C49A5EBFB8FB59751F044065FA04A7281D6709C04DBA0

Function 00511BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00511BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00511BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00511C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00511C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00511C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00511C22

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b6fc38aaa8901985c9f2a787d21690b57a47ac0ad622e25252784ae949c0b537
Instruction ID: 8104bd8a3a16777a0100d31c6e56535fe1fec174e2b76d9ba146ccab654f1ad9
Opcode Fuzzy Hash: b6fc38aaa8901985c9f2a787d21690b57a47ac0ad622e25252784ae949c0b537
Instruction Fuzzy Hash: 56016CB09027597DE3008F5A8C85B52FFE8FF19354F04411B915C4B941C7F5A864CBE5

Function 0057EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0057EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0057EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0057EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057EB75

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: cb8b2c5986061f3ecbe7529d368d2e85f1512affa14f6e349cd04dc55f1f8ae4
Instruction ID: fc39b818e2df40502db5299f8939906dcd16140d734222746a9f8807cb6daf27
Opcode Fuzzy Hash: cb8b2c5986061f3ecbe7529d368d2e85f1512affa14f6e349cd04dc55f1f8ae4
Instruction Fuzzy Hash: E4F05E72240158BFE7219B669C0EEEF3E7CEFDBB11F004159F601D6091EBA05A05E6B5

Function 00567439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00567452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00567469
GetWindowDC.USER32(?), ref: 00567475
GetPixel.GDI32(00000000,?,?), ref: 00567484
ReleaseDC.USER32(?,00000000), ref: 00567496
GetSysColor.USER32(00000005), ref: 005674B0

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 2ded65c8e3c2f113880d184c2ae073f1e8081e6a7966a9bfc89ba16d13495d4a
Instruction ID: d1812f9935a0adfe8a119fd6e5cfcef09dae11d2db8d67be07d1dd61e9215de1
Opcode Fuzzy Hash: 2ded65c8e3c2f113880d184c2ae073f1e8081e6a7966a9bfc89ba16d13495d4a
Instruction Fuzzy Hash: 71018B31400219EFDB109F64DD08BAA7FB5FF19312F1004A0FA16A31A0CF311E45EB50

Function 00571874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0057187F
UnloadUserProfile.USERENV(?,?), ref: 0057188B
CloseHandle.KERNEL32(?), ref: 00571894
CloseHandle.KERNEL32(?), ref: 0057189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005718A5
HeapFree.KERNEL32(00000000), ref: 005718AC

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 7b1f133492d5ece76174093fd546ca3583e09e08d24f743fd9ffd3a0e52d2b78
Instruction ID: 53388d2a26a516a9766c5c590047ea269dd84adecef78addd8aa7507263693c6
Opcode Fuzzy Hash: 7b1f133492d5ece76174093fd546ca3583e09e08d24f743fd9ffd3a0e52d2b78
Instruction Fuzzy Hash: 63E0E536204101BBDB015FA1ED0C90ABF79FF6AB22B108625F22581070CB329425EF50

Function 0051BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0051BEB3

Strings

D%^, xrefs: 0051BE9A
D%^, xrefs: 0051BDED, 0051BD91, 0051BD1B
D%^D%^, xrefs: 0051BCA5
D%^, xrefs: 0051BCA2

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%^$D%^$D%^$D%^D%^
API String ID: 1385522511-1929028606
Opcode ID: ee0637ec5ae8d1e99c32a99323fdec80142ee181e792a72d4f7fcefe397a9730
Instruction ID: 6f991f027e25756a3003fd0b7dcf529f9e945aea5314bd44430ac6a76bf9f4a1
Opcode Fuzzy Hash: ee0637ec5ae8d1e99c32a99323fdec80142ee181e792a72d4f7fcefe397a9730
Instruction Fuzzy Hash: D6913875A0020ACFEB18CF59C0906EABBF1FF58314F24856AD985AB351E731AD81DBD0

Function 00597B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00530242: EnterCriticalSection.KERNEL32(005E070C,005E1884,?,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053024D
Part of subcall function 00530242: LeaveCriticalSection.KERNEL32(005E070C,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053028A

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 005300A3: __onexit.LIBCMT ref: 005300A9

__Init_thread_footer.LIBCMT ref: 00597BFB

Part of subcall function 005301F8: EnterCriticalSection.KERNEL32(005E070C,?,?,00528747,005E2514), ref: 00530202
Part of subcall function 005301F8: LeaveCriticalSection.KERNEL32(005E070C,?,00528747,005E2514), ref: 00530235

Strings

+TV, xrefs: 00597E2E
Variable must be of type 'Object'., xrefs: 00597C3A
5, xrefs: 00597C78
G, xrefs: 00597C7F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TV$5$G$Variable must be of type 'Object'.
API String ID: 535116098-200929741
Opcode ID: 48dc413d81cd788be3cb353284e0215ff9e5569f412c98056682657defb21b42
Instruction ID: 5f0fb7d791387c32185073a1c367636e123ab176c65c60e18ac2b4aa22c28088
Opcode Fuzzy Hash: 48dc413d81cd788be3cb353284e0215ff9e5569f412c98056682657defb21b42
Instruction Fuzzy Hash: 8A919D74A1420AEFCF04EF54D8959ADBFB5FF89300F14845AF8469B292DB71AE81CB50

Function 0057C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0057C6EE
_wcslen.LIBCMT ref: 0057C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0057C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0057C7CA

Strings

0, xrefs: 0057C6AF

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 3fd393b5792759dafc95e2defe1e60a87d8efefa5b2dae27fc8ef2cce0cb0728
Instruction ID: a3dda11ab15fac253c6db574705e2fd073e956b4adf7794585aac684035722c4
Opcode Fuzzy Hash: 3fd393b5792759dafc95e2defe1e60a87d8efefa5b2dae27fc8ef2cce0cb0728
Instruction Fuzzy Hash: 9C51DF716043019BD7199F28E889B6B7FE8FF89310F048A2DF999D31D1DB70D944AB52

Function 0059AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0059AEA3

Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625

GetProcessId.KERNEL32(00000000), ref: 0059AF38
CloseHandle.KERNEL32(00000000), ref: 0059AF67

Strings

<, xrefs: 0059AE6B
@, xrefs: 0059AE72

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: f1d1d86bac1d1007f8e0dc77f8cd5eedb306a02c3a534276944668214863cc78
Instruction ID: 90671fb062b8a2f915692e78eef52098666e0e30d31774189c009a972bd22642
Opcode Fuzzy Hash: f1d1d86bac1d1007f8e0dc77f8cd5eedb306a02c3a534276944668214863cc78
Instruction Fuzzy Hash: 55715574A0021A9FDF14DF54C488A9EBBF5FF48300F048499E816AB392DB31ED85CBA1

Function 0057719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00577206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0057723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0057724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005772CF

Strings

DllGetClassObject, xrefs: 00577242

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 80f6784be5d728d7666e60af358c3003d011ee086498d1c3f4699d5c60d96ee3
Instruction ID: da2a720d7b9e695153c1b04487fd3d582e97116edaf2c8853fbfc902e3e55f44
Opcode Fuzzy Hash: 80f6784be5d728d7666e60af358c3003d011ee086498d1c3f4699d5c60d96ee3
Instruction Fuzzy Hash: BE417F75604208EFDB15CF54E884A9A7FB9FF49310F14C4A9BD199F20AD7B0DA44EBA0

Function 005A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005A3E35
IsMenu.USER32(?), ref: 005A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005A3E92
DrawMenuBar.USER32 ref: 005A3EA5

Strings

0, xrefs: 005A3D89

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 1bceec80553098125193177f9fca3ba96c71b585e905496f9ab3174f2a8371fb
Instruction ID: 6be0cb3900492b489e7d8b38080c9504939d65d214191f6a9dae164730f321f5
Opcode Fuzzy Hash: 1bceec80553098125193177f9fca3ba96c71b585e905496f9ab3174f2a8371fb
Instruction Fuzzy Hash: C3413875A01209EFDB10DF50E884AEEBBB9FF4A359F04412AF905AB250D730AE54DF50

Function 00571DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00571E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00571E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00571EA9

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

Strings

ComboBox, xrefs: 00571DF0
ListBox, xrefs: 00571E25

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: cc1f402ae6c058c4142a4637a3212185b251d8b844b6496d99f94dd37eb92477
Instruction ID: 892e5f3c202c9373ec246605e7e8a0d623a05e3ad30fdf0578eba26b9ef320ff
Opcode Fuzzy Hash: cc1f402ae6c058c4142a4637a3212185b251d8b844b6496d99f94dd37eb92477
Instruction Fuzzy Hash: 42210A71900105BAEB149B68EC5ACFF7FBCFF86390B108529FC59A72D1DB344D49A660

Function 0059C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0059C9F1
_wcslen.LIBCMT ref: 0059CA68
_wcslen.LIBCMT ref: 0059CA9E
_wcslen.LIBCMT ref: 0059CAF9
_wcslen.LIBCMT ref: 0059CB2F
_wcslen.LIBCMT ref: 0059CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0059CA62, 0059CA67
HKLM, xrefs: 0059CA98, 0059CA9D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 2cade854eb4908f9b374b67b62f35ba981a09a99db2bb01d5779fb6f223a36b7
Instruction ID: 522803fa16ebc2750780e43fed22bc03c45084630453367975b6cd4281c06cd4
Opcode Fuzzy Hash: 2cade854eb4908f9b374b67b62f35ba981a09a99db2bb01d5779fb6f223a36b7
Instruction Fuzzy Hash: 0831F873A0056E4BCF30DF2C99501BE3F91BBA5790F55402AE855AB345F671CE84D7A0

Function 005A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005A2F8D
LoadLibraryW.KERNEL32(?), ref: 005A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005A2FA9
DestroyWindow.USER32(?), ref: 005A2FB1

Strings

SysAnimate32, xrefs: 005A2F68

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 03ab5e489a4027317a90e1f0d6a2ae0bb6f6a0279b32785d7187ffa461151d4c
Instruction ID: 96ab904e3b7256b38d47e8eba9819b34847afc57450e7fba80572e2985b0c4f6
Opcode Fuzzy Hash: 03ab5e489a4027317a90e1f0d6a2ae0bb6f6a0279b32785d7187ffa461151d4c
Instruction Fuzzy Hash: CF219A71204209AFEB108F68DC87EBF3BB9FB5A364F104619FA50D6190D771DC91AB60

Function 00534D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00534D1E,005428E9,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002), ref: 00534D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00534DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00534D1E,005428E9,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002,00000000), ref: 00534DC3

Strings

CorExitProcess, xrefs: 00534D98
mscoree.dll, xrefs: 00534D86

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 974339bd7cf61aa76d78f159d82908e21f210110e3a7a5bedf94b514405cbfd3
Instruction ID: 692752c2c850a5c8ed03e6f098b84b58c0440c771ae0dc7cf6b7e5924add74c1
Opcode Fuzzy Hash: 974339bd7cf61aa76d78f159d82908e21f210110e3a7a5bedf94b514405cbfd3
Instruction Fuzzy Hash: CDF03C34A40209ABDB119B94DC49BAEBFE5FB54751F0001A5E806A62A0CB70A944DE90

Function 00514E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00514EAE
FreeLibrary.KERNEL32(00000000,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00514EA8
kernel32.dll, xrefs: 00514E94

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 5d36be5614eb4e6998002b964ab54e41cd091c887bffed96b6f490ff2449181c
Instruction ID: 16283ffd9647496279248e6936e60fcdeb8308ace92cc0f5365f1196ffeef1e6
Opcode Fuzzy Hash: 5d36be5614eb4e6998002b964ab54e41cd091c887bffed96b6f490ff2449181c
Instruction Fuzzy Hash: 54E08635B016225BE33117257C18B9F7E58BF93B627050215FC04D2200DB60CD4598A2

Function 00514E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00514E74
FreeLibrary.KERNEL32(00000000,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00514E6E
kernel32.dll, xrefs: 00514E5B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 8b0b7506932a8cdee092e827fff0d333b0eeb814c379298c8e358e1370f63e03
Instruction ID: c00cc8ec08d002cd9b4a5957fddf67c7e2e60ced3bcc97b4d2ec27bf5b7f19f1
Opcode Fuzzy Hash: 8b0b7506932a8cdee092e827fff0d333b0eeb814c379298c8e358e1370f63e03
Instruction Fuzzy Hash: 17D0123560262257A7321B257C18DCF7E1CBF87B513050715F905A6214DF61CD46D9E1

Function 00582947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00582C05
DeleteFileW.KERNEL32(?), ref: 00582C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00582C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00582CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00582CC0

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c4cf12c13ed78271f6f9735e564c25d7e805ffb9c4c87e9294fee9cf36d2709e
Instruction ID: d8a466fde6715d192c1b25391eab9c62b1a2b36353e92d2b34031b6139532f0e
Opcode Fuzzy Hash: c4cf12c13ed78271f6f9735e564c25d7e805ffb9c4c87e9294fee9cf36d2709e
Instruction Fuzzy Hash: 99B1417190111AABDF15EBA4CC89EEE7FBDFF89350F1040A6F909F6141EA319A448F61

Function 0059A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0059A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0059A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0059A468
CloseHandle.KERNEL32(?), ref: 0059A63D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 03b6ca2fe12878da1c5c8d003b41012fd0046db1cd9d635ff7dcb1b093906e26
Instruction ID: a1d191c2bac256b3c28d0f258f2a557af3329cf0ad95e8c8a8494c0d65edd18f
Opcode Fuzzy Hash: 03b6ca2fe12878da1c5c8d003b41012fd0046db1cd9d635ff7dcb1b093906e26
Instruction Fuzzy Hash: BCA160716043019FEB20DF24D88AB2ABBE5BF84714F14885DF55A9B3D2DB71EC418B92

Function 0057E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0057CF22,?), ref: 0057DDFD

Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0057CF22,?), ref: 0057DE16

Part of subcall function 0057E199: GetFileAttributesW.KERNEL32(?,0057CF95), ref: 0057E19A

lstrcmpiW.KERNEL32(?,?), ref: 0057E473
MoveFileW.KERNEL32(?,?), ref: 0057E4AC
_wcslen.LIBCMT ref: 0057E5EB
_wcslen.LIBCMT ref: 0057E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0057E650

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 1ca2ea8168c41e3a96d73ee7f9078b7d37f065beb2141432717f693e3f3fbaa5
Instruction ID: f7b32ffa0406c7e72e17dbb538541a1960531860fa7a35bfe44debbd196d8cad
Opcode Fuzzy Hash: 1ca2ea8168c41e3a96d73ee7f9078b7d37f065beb2141432717f693e3f3fbaa5
Instruction Fuzzy Hash: 125192B24083455BC724DB90E8969DF7BECBFC8340F00492EF689D3151EF75A6889766

Function 0059B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0059BB63
RegCloseKey.ADVAPI32(?,?), ref: 0059BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0059BBB3

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ab358ccb64121e4d00b320407a521ea787e4b4bf072dc6102dfda4396054a205
Instruction ID: cdc935dd82569dc0e844e059fad9d4eec726ddd56382caa8f3be6678c7951da6
Opcode Fuzzy Hash: ab358ccb64121e4d00b320407a521ea787e4b4bf072dc6102dfda4396054a205
Instruction Fuzzy Hash: 8661B031208241AFE714DF24C594E6ABFE5FF84308F14895CF49A8B2A2DB31ED45CB92

Function 00578BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00578BCD
VariantClear.OLEAUT32 ref: 00578C3E
VariantClear.OLEAUT32 ref: 00578C9D
VariantClear.OLEAUT32(?), ref: 00578D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00578D3B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 281ad127c6f5b488f41dd9095753c0cfa24943926c3d3f92b3153a99f55794ce
Instruction ID: 7c80970e1213464221eb4496de8c75ebeb80294f245bfc2cd8b3f89fe0b275e7
Opcode Fuzzy Hash: 281ad127c6f5b488f41dd9095753c0cfa24943926c3d3f92b3153a99f55794ce
Instruction Fuzzy Hash: 415159B5A00219EFCB14CF68D894AAABBF8FF8D310B158559E909DB350E730E911CF90

Function 00588AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00588BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00588BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00588C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00588C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00588C5F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 87179ad2596f35eb8dcdeeee76adf1c38219a675df665b1847acd0d0e42de642
Instruction ID: a19e350f6f286658c5e9b15f55307042e586999b4f5f3ad6ce430dbebeefcec4
Opcode Fuzzy Hash: 87179ad2596f35eb8dcdeeee76adf1c38219a675df665b1847acd0d0e42de642
Instruction Fuzzy Hash: 3D514C35A002199FDB05EF64C885AA9BFF5FF89314F098458E849AB362DB31ED51CB90

Function 00598EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00598F40
GetProcAddress.KERNEL32(00000000,?), ref: 00598FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00598FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00599032
FreeLibrary.KERNEL32(00000000), ref: 00599052

Part of subcall function 0052F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00581043,?,753CE610), ref: 0052F6E6
Part of subcall function 0052F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0056FA64,00000000,00000000,?,?,00581043,?,753CE610,?,0056FA64), ref: 0052F70D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 30bd0609d7893bdcba96d7795368c2ecc48da038254d8f637e30759a0fe88f98
Instruction ID: fbbef9e352b1613c8fa91f9117b92fae8a2c555a3f6b240144b2c7ccdc133f01
Opcode Fuzzy Hash: 30bd0609d7893bdcba96d7795368c2ecc48da038254d8f637e30759a0fe88f98
Instruction Fuzzy Hash: F9511735600205DFDB11DF58C4988A9BFF1FF8A314F0980A8E81A9B362DB31ED85CB90

Function 005A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 005A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 005A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 005A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0058AB79,00000000,00000000), ref: 005A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 005A6CC7

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 0e697621d9952cc67840213a7c0c9299afe9c12277914fe7d495b2076fc54496
Instruction ID: 3b39315b6169eefebab93b79cc03f7a843ee7e4f72620e3c0e304cce5329afcd
Opcode Fuzzy Hash: 0e697621d9952cc67840213a7c0c9299afe9c12277914fe7d495b2076fc54496
Instruction Fuzzy Hash: CF418035A04104AFD724DF28CC68BAD7FA5FB0B360F190268F995AB2A1C771AD41DA50

Function 00542051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005420C3
_free.LIBCMT ref: 005420E3

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 40dac34452c29d3d285367ec9e7711878103222d4d833ecea8f4a32398d386d7
Instruction ID: 183b748e96f74ac567f286ee50b1371f51938626959f1d6d97846b07228f91e5
Opcode Fuzzy Hash: 40dac34452c29d3d285367ec9e7711878103222d4d833ecea8f4a32398d386d7
Instruction Fuzzy Hash: 5E41E432A002109FCB24DF78C884A9EBBF5FF89318F554569F515EB396D631AD01DB80

Function 0052912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00529141
ScreenToClient.USER32(00000000,?), ref: 0052915E
GetAsyncKeyState.USER32(00000001), ref: 00529183
GetAsyncKeyState.USER32(00000002), ref: 0052919D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9265c970efff0707028236a189c98b5f60c89f4a6111d25c2623092567dad064
Instruction ID: 9d2a1fbd3cd9d4703fec7a0be231ebe00589e17911c06a0eb440ed85d9f8d19a
Opcode Fuzzy Hash: 9265c970efff0707028236a189c98b5f60c89f4a6111d25c2623092567dad064
Instruction Fuzzy Hash: 1D415F7190861BBBDF159F69D848BEEBB74FF4A324F20421AE425A32D0C7305D54DB91

Function 00583874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00583922
TranslateMessage.USER32(?), ref: 0058394B
DispatchMessageW.USER32(?), ref: 00583955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00583966

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4503aef7a4387d5955e546e11e77a2924c56c79e8e0bc290dd450717327f6e5b
Instruction ID: 4f7c704a049fd1d16365d79e5dc282e96174174b464351dbbf9ba9575ee632fa
Opcode Fuzzy Hash: 4503aef7a4387d5955e546e11e77a2924c56c79e8e0bc290dd450717327f6e5b
Instruction Fuzzy Hash: 5931EB709057819EEB39EF34D849BB63FA8FB15700F04056DECA6E60A0E7F49689DB11

Function 0058CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0058C21E,00000000), ref: 0058CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0058CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0058C21E,00000000), ref: 0058CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0058C21E,00000000), ref: 0058CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0058C21E,00000000), ref: 0058CFF2

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: cd7a6e7c983613b9baafcb138b53a459a5673fa5fc532f949d85694e21ad5de5
Instruction ID: 8ef22b1384aa3925981837eb9b4bbcd1e2dfa31eb94be813000d1238b4842efa
Opcode Fuzzy Hash: cd7a6e7c983613b9baafcb138b53a459a5673fa5fc532f949d85694e21ad5de5
Instruction Fuzzy Hash: 55314C71604205AFEB20EFA5D884AABBFF9FF15354B10442EFA06E2141DB30AE44DB70

Function 00571901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00571915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005719E2

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4690d1f04d452f7130f5e8eda3d6dce698ed176c45c72cb382b4a5dfd1410890
Instruction ID: 3486ec42c9f545e93dc0979e5a5cae22f7656c2c3d0fa965b371baba725cc6ab
Opcode Fuzzy Hash: 4690d1f04d452f7130f5e8eda3d6dce698ed176c45c72cb382b4a5dfd1410890
Instruction Fuzzy Hash: 1A31CD71A00219EFCB00CFACD998ADE3FB5FB55314F108229FA25AB2D0C7709945EB90

Function 005A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 005A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 005A579D
_wcslen.LIBCMT ref: 005A57AF
_wcslen.LIBCMT ref: 005A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 005A5816

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 56df450c6b26b099d33aa84421eb53186bcf6070b79e5e17adef38816cd82d0d
Instruction ID: a4284232c3d5620534d9205d8c27ffa105127e8976dad31e93bdc0d7ede0f324
Opcode Fuzzy Hash: 56df450c6b26b099d33aa84421eb53186bcf6070b79e5e17adef38816cd82d0d
Instruction Fuzzy Hash: EF219331904618DADB208F64DC84EEE7FB8FF56320F108616F919EB180E7709985CF50

Function 00590930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00590951
GetForegroundWindow.USER32 ref: 00590968
GetDC.USER32(00000000), ref: 005909A4
GetPixel.GDI32(00000000,?,00000003), ref: 005909B0
ReleaseDC.USER32(00000000,00000003), ref: 005909E8

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 04ef9c01de7544c68aa15d2e3ad33063e8de2b277dcde7cc869954cf848ff025
Instruction ID: 5b628a112ce0d0d5a01c5e1db127711a9e8f6c3e44d1a8b7dd4bb2a884670cdb
Opcode Fuzzy Hash: 04ef9c01de7544c68aa15d2e3ad33063e8de2b277dcde7cc869954cf848ff025
Instruction Fuzzy Hash: 8C218435600204AFEB04EF69C949AAEBFF9FF85700F048468E84AA7352DB30EC44DB50

Function 0054CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0054CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0054CDE9

Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0054CE0F
_free.LIBCMT ref: 0054CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0054CE31

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 7959bd8c376b5cce12c976a6576b44b613f91bd1c97f61c912111dcd1c1dd492
Instruction ID: ff3b122b98d15f41fd89ee0a481dabfdb451f0f5dca1c607a42411067adcf822
Opcode Fuzzy Hash: 7959bd8c376b5cce12c976a6576b44b613f91bd1c97f61c912111dcd1c1dd492
Instruction Fuzzy Hash: 3E0184726032157F276216B66C8CDBB7D6DFEC7BA93150129F905C7201EF618D1291B0

Function 00529639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00529693
SelectObject.GDI32(?,00000000), ref: 005296A2
BeginPath.GDI32(?), ref: 005296B9
SelectObject.GDI32(?,00000000), ref: 005296E2

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 700be6cb469864f891a56b2127dd2869d07d1816ded742b45bc34b87be9aa036
Instruction ID: 9deb3f3eb4187ff1688620d40598047957678a1737c4e9376a05da9ae058af06
Opcode Fuzzy Hash: 700be6cb469864f891a56b2127dd2869d07d1816ded742b45bc34b87be9aa036
Instruction Fuzzy Hash: 7D21B331901759EBDB118F64EC48BAD3FA4BF22315F100215F450DA2F1D3706889EF98

Function 00575711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00575726
_memcmp.LIBVCRUNTIME ref: 00575744
_memcmp.LIBVCRUNTIME ref: 00575757
_memcmp.LIBVCRUNTIME ref: 0057576F
_memcmp.LIBVCRUNTIME ref: 00575787

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c18d710ded64dc96bc542cf3b5c065ebfa722cd7cb7082d48ba48316ec425213
Instruction ID: fcb6afef9bf14232aed0a2565e7e3c0099bc22d36e1514db90967f5f2333a981
Opcode Fuzzy Hash: c18d710ded64dc96bc542cf3b5c065ebfa722cd7cb7082d48ba48316ec425213
Instruction Fuzzy Hash: F001B5A1645A0ABBE20C5521AD86FBF7B5CFB613E4F008420FE0D9A241F7A1ED1093B4

Function 00542DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0053F2DE,00543863,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6), ref: 00542DFD
_free.LIBCMT ref: 00542E32
_free.LIBCMT ref: 00542E59
SetLastError.KERNEL32(00000000,00511129), ref: 00542E66
SetLastError.KERNEL32(00000000,00511129), ref: 00542E6F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 76c2689cfbad3c8a1f9cb3947a359a94b925a4d4da3c3d8d4333b21a5c38109b
Instruction ID: 7094b51df13324a460dbb4d6c166e14bc6fde269b9d143d75abd364b87b12f74
Opcode Fuzzy Hash: 76c2689cfbad3c8a1f9cb3947a359a94b925a4d4da3c3d8d4333b21a5c38109b
Instruction Fuzzy Hash: 9A01263210562267871263752C49DFB3E6DBBE13ACFA04426F41593192EE708C149020

Function 0057000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?,?,0057035E), ref: 0057002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?), ref: 00570064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570070

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6537f40b0cda1fb16244e354d73a21bc9fd15649829f3c76dd819279baac11ba
Instruction ID: 693e5b2af9e0729885dc1859e284c5da0ef7a492c6ca17c16235ec61ae867d90
Opcode Fuzzy Hash: 6537f40b0cda1fb16244e354d73a21bc9fd15649829f3c76dd819279baac11ba
Instruction Fuzzy Hash: 46018B72600205FFDB104F69EC08BAA7EEDFB547A2F14A124F909D2250EB75DD44BBA0

Function 0057E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0057E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0057E9A5
Sleep.KERNEL32(00000000), ref: 0057E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0057E9B7
Sleep.KERNEL32 ref: 0057E9F3

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 3293825c91df3bfa04182e8f917a2a17ab8bd7763472831cac6621a360356396
Instruction ID: 1a027cc55a0d5889e96598723f7ee57a72e8a5a2f720b357d7223f34b26a0757
Opcode Fuzzy Hash: 3293825c91df3bfa04182e8f917a2a17ab8bd7763472831cac6621a360356396
Instruction Fuzzy Hash: 71015B72D01629DBCF009BE4E85AADDBF78BF1E301F004586E606B2241CB309559EB61

Function 005710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00571114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 0057112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0057114D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f6a2cf74d7a01e6596447bdf6e8af8dfe1c6b489c74989028028e8569a8ae2f5
Instruction ID: c6136f9fc9b8287e4255750945e0d6448a2bf261b42c9600f0abccdcd726c832
Opcode Fuzzy Hash: f6a2cf74d7a01e6596447bdf6e8af8dfe1c6b489c74989028028e8569a8ae2f5
Instruction Fuzzy Hash: 08011975200605BFDB114FA9EC49A6A3F6EFF8A3A0B604419FA45D7360DA31DD04EA60

Function 00570FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00570FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00570FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00570FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00570FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00571002

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c45069ca284d4fd7f6399ac621f8fbb70e8bc9340150943286064622f09ba86d
Instruction ID: fb6028b963192fc27c0e25af8a7c0bd5262cba8585d98445d484def58dba836d
Opcode Fuzzy Hash: c45069ca284d4fd7f6399ac621f8fbb70e8bc9340150943286064622f09ba86d
Instruction Fuzzy Hash: 7CF04935200701ABDB214FA9AC4DF5A3FADFF9A762F104415FA49C6251EE70DC54AA60

Function 00571014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0057102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00571036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0057104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571062

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d5f4b3ebc07cdc12eb6636ac184be9f7786526de063174e18f9b7b78d1e892d5
Instruction ID: 2fa8470c3eb9a693007dc5b96c8b49590f76c8b5d46856077688edcdbde6c1f6
Opcode Fuzzy Hash: d5f4b3ebc07cdc12eb6636ac184be9f7786526de063174e18f9b7b78d1e892d5
Instruction Fuzzy Hash: 9DF04935200701ABDB215FAAEC4DF5A3FADFF9A761F104415FA49C6250DE70D854AA60

Function 0058030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580324
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580331
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 0058033E
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 0058034B
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580358
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580365

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7834c3ed929462e4082d5966cb35c3af576849a463b1935eef56009c7957ac67
Instruction ID: 63279650871853044fdf335bb996c966c14b476cf46726462eed549cd631cf13
Opcode Fuzzy Hash: 7834c3ed929462e4082d5966cb35c3af576849a463b1935eef56009c7957ac67
Instruction Fuzzy Hash: 10019C72801B159FCB30AF66D880816FBF9BE602163159E3FD19662971CBB1A958DF80

Function 0054D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0054D752

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 0054D764
_free.LIBCMT ref: 0054D776
_free.LIBCMT ref: 0054D788
_free.LIBCMT ref: 0054D79A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0e09515219e6085af8511fe0c43ee2f152e8a18f32f9bde6045214b719798093
Instruction ID: 13e23af86243c5d14f9ed30e9a6b8df4a749c514032d72bdaff7f8b76eb33a5f
Opcode Fuzzy Hash: 0e09515219e6085af8511fe0c43ee2f152e8a18f32f9bde6045214b719798093
Instruction Fuzzy Hash: 46F04F32541216AB8621EB65F9C5D967FFDFB44318BD40806F049D7502C734FC809670

Function 00575C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00575C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00575C6F
MessageBeep.USER32(00000000), ref: 00575C87
KillTimer.USER32(?,0000040A), ref: 00575CA3
EndDialog.USER32(?,00000001), ref: 00575CBD

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ac88b2363bdaaa7499b7834fec45fe70df19d3109fe8213ee3b6bd6814aee176
Instruction ID: fb1d42a86d788f89ca4a9de9a2f5bc9cf14a09e9d727cd8c61a7b81790096234
Opcode Fuzzy Hash: ac88b2363bdaaa7499b7834fec45fe70df19d3109fe8213ee3b6bd6814aee176
Instruction Fuzzy Hash: 88018630500B04ABEB215B14ED4EFA67FFCBB11B05F044559A587A20E1EBF0AD88AA90

Function 005422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005422BE

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 005422D0
_free.LIBCMT ref: 005422E3
_free.LIBCMT ref: 005422F4
_free.LIBCMT ref: 00542305

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6a2b031925cebc4a2d359f9b5ac1a6920efaee68420e7bb23758ae22cf4c424d
Instruction ID: 6e6b9053c052ea30b8df7a7fa076dd89f6a959f781c5bc0cc975154efe4965d6
Opcode Fuzzy Hash: 6a2b031925cebc4a2d359f9b5ac1a6920efaee68420e7bb23758ae22cf4c424d
Instruction Fuzzy Hash: 66F0B4784015B29B8A26AF56BC8188C3F74F738764F801107F058DA2B1C7710496FFE8

Function 005295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005295D4
StrokeAndFillPath.GDI32(?,?,005671F7,00000000,?,?,?), ref: 005295F0
SelectObject.GDI32(?,00000000), ref: 00529603
DeleteObject.GDI32 ref: 00529616
StrokePath.GDI32(?), ref: 00529631

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1de2066f372abafc33b299c12c1ac75a756c330819fcff9d7bc5cd86e80e004b
Instruction ID: 200df3aa9b78b2f16348f5e6e0a2d62ff1a6f020dfa8d45f27de7e33c17c2d95
Opcode Fuzzy Hash: 1de2066f372abafc33b299c12c1ac75a756c330819fcff9d7bc5cd86e80e004b
Instruction Fuzzy Hash: 11F04F31105A48EBDB1A5F65ED5C7683FA1BF22322F048214F4A5991F2CB348999FF28

Function 00540F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005410F9
__freea.LIBCMT ref: 00541117

Part of subcall function 00541537: _free.LIBCMT ref: 0054154F

Strings

am/pm, xrefs: 0054117A
a/p, xrefs: 005411DE

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 80df0facff56a307b35277d354b267233c5c8cfe930299b035d27d01bf7ca494
Instruction ID: b3fb87df8b0c21aec00abaf69fc268ed9dd220c54b0c1d378f7e8fd52fd1d0f7
Opcode Fuzzy Hash: 80df0facff56a307b35277d354b267233c5c8cfe930299b035d27d01bf7ca494
Instruction Fuzzy Hash: 40D14835900A06DBCB288F68C859BFEBFB1FF05708F244919E9169B650D3759DC0CB99

Function 005961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00530242: EnterCriticalSection.KERNEL32(005E070C,005E1884,?,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053024D
Part of subcall function 00530242: LeaveCriticalSection.KERNEL32(005E070C,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053028A

Part of subcall function 005300A3: __onexit.LIBCMT ref: 005300A9

__Init_thread_footer.LIBCMT ref: 00596238

Part of subcall function 005301F8: EnterCriticalSection.KERNEL32(005E070C,?,?,00528747,005E2514), ref: 00530202
Part of subcall function 005301F8: LeaveCriticalSection.KERNEL32(005E070C,?,00528747,005E2514), ref: 00530235

Part of subcall function 0058359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005835E4
Part of subcall function 0058359C: LoadStringW.USER32(005E2390,?,00000FFF,?), ref: 0058360A

Strings

x#^, xrefs: 0059633A
x#^, xrefs: 0059636F
x#^, xrefs: 00596353

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#^$x#^$x#^
API String ID: 1072379062-3539263148
Opcode ID: 33e53f83f18dbc02615d90e85618936e7530082f503a82ad7f6f574b5a1e0b17
Instruction ID: b7042cb355b1f99f464c70204d58ead184cd3a5e64363a337f8234473ba18ccd
Opcode Fuzzy Hash: 33e53f83f18dbc02615d90e85618936e7530082f503a82ad7f6f574b5a1e0b17
Instruction Fuzzy Hash: 11C17B71A00106AFDF14DF98C895EAEBBB9FF48300F118469F945AB291DB70ED49CB90

Function 00545AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOQ, xrefs: 00545BA8, 00545C6C

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: JOQ
API String ID: 0-3921798060
Opcode ID: 406b47cefafd532f179173fe4036eb942f9cb2223270f1b6d72f8732076f18dd
Instruction ID: 6a2e05dfffb8997bfcb0bbf0ecc67ba69fdb86b8c7cd3d9f2bc7bf9880926ced
Opcode Fuzzy Hash: 406b47cefafd532f179173fe4036eb942f9cb2223270f1b6d72f8732076f18dd
Instruction Fuzzy Hash: CE51BE75D0060A9BCB259FA4CC89FEEBFB8FF45318F14045AF405A7292E6319D01DB61

Function 00548A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00548B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00548B7A
__dosmaperr.LIBCMT ref: 00548B81

Strings

.S, xrefs: 00548A63

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .S
API String ID: 2434981716-1539595904
Opcode ID: b00082088acc37bbf87162f7e33cde85b6b5a706494779aad554395f90418ada
Instruction ID: 61160430dc0af42a2c6ce47f131ebf2d9356acf99187ec2df56aaa95f0567b98
Opcode Fuzzy Hash: b00082088acc37bbf87162f7e33cde85b6b5a706494779aad554395f90418ada
Instruction Fuzzy Hash: 40419D70604045AFCB249F25CC84AFD7FE5FB8631CF2885AAF8958B242DE71CC429790

Function 00572716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0057B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005721D0,?,?,00000034,00000800,?,00000034), ref: 0057B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00572760

Part of subcall function 0057B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0057B3F8

Part of subcall function 0057B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0057B355
Part of subcall function 0057B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00572194,00000034,?,?,00001004,00000000,00000000), ref: 0057B365
Part of subcall function 0057B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00572194,00000034,?,?,00001004,00000000,00000000), ref: 0057B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0057281A

Strings

@, xrefs: 00572832

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 064dbbebfd5c402402e3f11513dd621facdad38784f15445ffb929dc226f0c2f
Instruction ID: b7b3cf812bcab17bab430310755f0f5b6b993fc0ed95593300527fad4b2626ab
Opcode Fuzzy Hash: 064dbbebfd5c402402e3f11513dd621facdad38784f15445ffb929dc226f0c2f
Instruction Fuzzy Hash: 9A416D72900219AFDB10DBA4DD45BDEBBB8FF45300F108099FA59B7181DB706E85DBA1

Function 0054172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00541769
_free.LIBCMT ref: 00541834
_free.LIBCMT ref: 0054183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00541760, 00541767, 00541796, 005417CE

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 85266c84dfedaa20b5a7290546344e0bfc9e02bd7658e47d04f4e2feb068dd38
Instruction ID: eeee8538d5b81146783530cfec5b4309f3ba51fceb5c8e64b119fbbb5fd5db2b
Opcode Fuzzy Hash: 85266c84dfedaa20b5a7290546344e0bfc9e02bd7658e47d04f4e2feb068dd38
Instruction Fuzzy Hash: 5331BC75A00A58ABDB25DB9A9C84DDEBFFCFB95314F104166F8049B211D6708A80DB98

Function 0057C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0057C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0057C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005E1990,01585EF0), ref: 0057C395

Strings

0, xrefs: 0057C2DF

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 03565f18d6f4bf437eb29874ece6787541dfd90247eec257be14d44aeb22ef59
Instruction ID: 82bc2f369544b9245633c3bd4eff52f0b4197526ff05008ff2d93bf76aac84ee
Opcode Fuzzy Hash: 03565f18d6f4bf437eb29874ece6787541dfd90247eec257be14d44aeb22ef59
Instruction Fuzzy Hash: A1418E712043029FD720DF25E884B5ABFE4BF85320F14CA1DF9A9972D1D730A904EB62

Function 005A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005ACC08,00000000,?,?,?,?), ref: 005A44AA
GetWindowLongW.USER32 ref: 005A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A44D7

Strings

SysTreeView32, xrefs: 005A447C

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7d29528cef674264b84be62b0e111c28e55fdb622321f230796781f3db644e79
Instruction ID: 4873749e4507687ffc0272da20159f5b84f6073fe35ad84ddef6095fe723cada
Opcode Fuzzy Hash: 7d29528cef674264b84be62b0e111c28e55fdb622321f230796781f3db644e79
Instruction Fuzzy Hash: B9315C31210606AFDF219EB8DC45BEA7FA9FB8A334F204725F975921D0D7B0AC519B50

Function 00576E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00576EED
VariantCopyInd.OLEAUT32(?,?), ref: 00576F08
VariantClear.OLEAUT32(?), ref: 00576F12

Strings

*jW, xrefs: 00576E8B, 00576E90, 00576EF8

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jW
API String ID: 2173805711-2693160286
Opcode ID: e222dacec7af85bcd0789438c73db7ac1fa2fcd13b4296e363e227b78d300cf1
Instruction ID: 44ee51ad280366b0a565b4ed83e78f19bbb2caa039ebc39a47f9f52f1951dfdd
Opcode Fuzzy Hash: e222dacec7af85bcd0789438c73db7ac1fa2fcd13b4296e363e227b78d300cf1
Instruction Fuzzy Hash: BB31B371604606DFDB04AF64F8949BD3F76FF85300B104898F9064B2A1D7309D91EBA4

Function 0059304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0059335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00593077,?,?), ref: 00593378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0059307A
_wcslen.LIBCMT ref: 0059309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00593106

Strings

255.255.255.255, xrefs: 00593095, 0059309A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 78dd40aee28c6856205b5010857949670ddff2b7c8a1631a27753eb08665188b
Instruction ID: b7988a32a94d354688cc7802369c09e2f709e1e9885909f3bd948fcabf683d35
Opcode Fuzzy Hash: 78dd40aee28c6856205b5010857949670ddff2b7c8a1631a27753eb08665188b
Instruction Fuzzy Hash: 2A31B039600202DFCB20CF68C589AAA7FE0FF55318F248459E9158B3A2DB32EE45D760

Function 005A3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 005A3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 005A3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 005A3F78

Strings

SysMonthCal32, xrefs: 005A3F0B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 2db68bca5e85e011ed30beace7a4883aba6c94eb163cba0bbcd0c4bf80321056
Instruction ID: e7ee3663323e87410043af921f0bd097f3c6a28c7a2e337e57ddaf431d6ceaab
Opcode Fuzzy Hash: 2db68bca5e85e011ed30beace7a4883aba6c94eb163cba0bbcd0c4bf80321056
Instruction Fuzzy Hash: A821AD32610219BFDF218E54CC46FEE3F79FB89718F110215FA156B190D6B5A894DB90

Function 005A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005A471A

Strings

msctls_updown32, xrefs: 005A4684

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b97b30fca7c9fa717f541dffe9d8cca0d32186fd61603e6af52a40dd884655f9
Instruction ID: c91d114d8811ffbe7e007e7097770fd6d48f963bac30f61831a6da48671c38db
Opcode Fuzzy Hash: b97b30fca7c9fa717f541dffe9d8cca0d32186fd61603e6af52a40dd884655f9
Instruction Fuzzy Hash: E72151B5600249AFDB10DF68DCC5DBB3BADFB9B394B040459FA019B261DB70EC51DA60

Function 005795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0057961D

Strings

#requireadmin, xrefs: 005795D9
#OnAutoItStartRegister, xrefs: 005795F3
#notrayicon, xrefs: 005795B7

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: c7d286b08879fb0b6d8ae524f38049a7491f73f969b39a7e70e99d8c81f0c7ca
Instruction ID: cd10c6d01f152332f5155d5cf581eff24f34541b12618ff2b35ce0a908ff0897
Opcode Fuzzy Hash: c7d286b08879fb0b6d8ae524f38049a7491f73f969b39a7e70e99d8c81f0c7ca
Instruction Fuzzy Hash: 9921087210462266D331AA29AC06FBB7FACBFD5310F148426F94D97181EB51AD81E3F5

Function 005A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005A3876

Strings

Listbox, xrefs: 005A380F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ac3c9b42013912ca22de0ad213a1a1cf7f631d677117bae5d8fa9a5fb8b1e451
Instruction ID: 16ab0d73d7ec5fdddcefd8e1ad1e02aa67a76108507ea7a7b151b4ba6b84a5f6
Opcode Fuzzy Hash: ac3c9b42013912ca22de0ad213a1a1cf7f631d677117bae5d8fa9a5fb8b1e451
Instruction Fuzzy Hash: 3521BE72600219BBEB218F64CC85EBF3B6EFF8A754F108125F9009B190CA75DD528BA0

Function 005849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00584A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00584A5C
SetErrorMode.KERNEL32(00000000,?,?,005ACC08), ref: 00584AD0

Strings

%lu, xrefs: 00584A6F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 68cff9678ffcb0c9caef91b0f2b0e22263f4b529ac0c212f710bf53590214787
Instruction ID: 0037eeb0ff125ed1899e4654c4d0db9e6e06dd6a80b791260e61ed13296bf692
Opcode Fuzzy Hash: 68cff9678ffcb0c9caef91b0f2b0e22263f4b529ac0c212f710bf53590214787
Instruction Fuzzy Hash: C7314B75A00209AFDB10DF54C885EAA7FF9FF49308F1480A5E909EB252DB71EE45CB61

Function 005A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005A4271

Strings

msctls_trackbar32, xrefs: 005A4226

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 8d912a7132a55813900e5a631ffeac11ee593ad80096fec63b8d9d7627b5ce59
Instruction ID: 641ec9e6f322ed538e558a8222291f584a4bb7f2c0851ce90431f072bffea93b
Opcode Fuzzy Hash: 8d912a7132a55813900e5a631ffeac11ee593ad80096fec63b8d9d7627b5ce59
Instruction Fuzzy Hash: 8011A331240248BEEF205E69CC46FAB3FACFFD6B54F110525FA55E6090D6B1DC519B50

Function 00572F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

Part of subcall function 00572DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00572DC5
Part of subcall function 00572DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00572DD6
Part of subcall function 00572DA7: GetCurrentThreadId.KERNEL32 ref: 00572DDD
Part of subcall function 00572DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00572DE4

GetFocus.USER32 ref: 00572F78

Part of subcall function 00572DEE: GetParent.USER32(00000000), ref: 00572DF9

GetClassNameW.USER32(?,?,00000100), ref: 00572FC3
EnumChildWindows.USER32(?,0057303B), ref: 00572FEB

Strings

%s%d, xrefs: 00572FFF

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 7e13d4eee0aeb51ca3cd6c13c07e89be3ce19a6521083f4445ffc6e30d7a030b
Instruction ID: 0284a40ecf1a234bd9a447240347ce344aa19da3ef18e3bce9d07fb704a45c16
Opcode Fuzzy Hash: 7e13d4eee0aeb51ca3cd6c13c07e89be3ce19a6521083f4445ffc6e30d7a030b
Instruction Fuzzy Hash: 9D11A2716002066BDF14BF74AC89EED3F6ABFD5314F048075B90D9B292DE30994AAB60

Function 005A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005A58EE
DrawMenuBar.USER32(?), ref: 005A58FD

Strings

0, xrefs: 005A588F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 619f8348d8e64c93262a53a7eea57482402fb24acad13cdf8d54641735dec090
Instruction ID: c7d871573c25bb420818d4a14f52760362fc881f762fb8be5d11e86f48b69884
Opcode Fuzzy Hash: 619f8348d8e64c93262a53a7eea57482402fb24acad13cdf8d54641735dec090
Instruction Fuzzy Hash: FD010C31500219EEDB619F11E844FAFBFB8BF46361F1484A9F849DA151EB308A94EF21

Function 0056D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0056D3BF
FreeLibrary.KERNEL32 ref: 0056D3E5

Strings

X64, xrefs: 0056D2A8
GetSystemWow64DirectoryW, xrefs: 0056D3B9

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: e9d0d174f390c45b71d9cd920f70244f378d3083ec3cd8479706207018db8902
Instruction ID: 0b90b13ec85af04db34f9c90fd8d29fe54aa680639c52263857bdf243e7d459b
Opcode Fuzzy Hash: e9d0d174f390c45b71d9cd920f70244f378d3083ec3cd8479706207018db8902
Instruction Fuzzy Hash: CDF055B5F05A208BC77102115C2896D3FB0BF12701BA88D26E802EB244EB20CC44C2B2

Function 0057007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8578f3d0aac6b0e00a43cb10c0aa0e71d98254ee7c952f1ab8b223c4d1836df
Instruction ID: a66f30f55023ea489b0ddf1a63732a3597511ff16080eb6116a363c08c1efad8
Opcode Fuzzy Hash: e8578f3d0aac6b0e00a43cb10c0aa0e71d98254ee7c952f1ab8b223c4d1836df
Instruction Fuzzy Hash: 29C16D75A00216EFCB14CF94D898AAEBBF5FF48314F209598E509EB291D731DD41EB90

Function 0059342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00593459
CoUninitialize.OLE32 ref: 00593463
VariantInit.OLEAUT32(?), ref: 0059346E
VariantClear.OLEAUT32(?), ref: 0059371B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 60f024b417318b33880e3f4025eafc44358c8a7a8db3dd3ca70887c17f494415
Instruction ID: 668b0a821a1b4d8ff13a3f0aec4b6cc11244cac9605a81a188f9f9832a3beae0
Opcode Fuzzy Hash: 60f024b417318b33880e3f4025eafc44358c8a7a8db3dd3ca70887c17f494415
Instruction Fuzzy Hash: DFA14975204201DFDB10DF28C489A6ABBE5FF8D714F058859F98A9B362DB30EE45CB91

Function 00570436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005AFC08,?), ref: 005705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005AFC08,?), ref: 00570608
CLSIDFromProgID.OLE32(?,?,00000000,005ACC40,000000FF,?,00000000,00000800,00000000,?,005AFC08,?), ref: 0057062D
_memcmp.LIBVCRUNTIME ref: 0057064E

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: cad1f59382c62924ea53cf19128c96f0ab7c43fe6dfb078b7315cadeade281ed
Instruction ID: 853643bb8abe0d859517d7a55ba91d36adbb0d36eb3dce13e5160036971bdeca
Opcode Fuzzy Hash: cad1f59382c62924ea53cf19128c96f0ab7c43fe6dfb078b7315cadeade281ed
Instruction Fuzzy Hash: 27811C71A00109EFCB04DF94C988DEEBBF9FF89315F108558E506AB290DB71AE06DB60

Function 0059A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0059A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0059A6BA

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Process32NextW.KERNEL32(00000000,?), ref: 0059A79C
CloseHandle.KERNEL32(00000000), ref: 0059A7AB

Part of subcall function 0052CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00553303,?), ref: 0052CE8A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e9966aac6c9f087808cd4358b6397ecf99372f15f512eabf53461f3c44fbf9e4
Instruction ID: 0f7578123f3f8661b9f3d33fd859809fff861ad850c5157a9e63722a22c109ae
Opcode Fuzzy Hash: e9966aac6c9f087808cd4358b6397ecf99372f15f512eabf53461f3c44fbf9e4
Instruction Fuzzy Hash: 8E512B71508311AFD710EF24D88AAABBBE8FFC9754F00491DF59597291EB30E944CBA2

Function 00551391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005514C0

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 26761c60a35de7da804ddc60fd3569eb2d525dcb7c1e48995331b88ae76008bc
Instruction ID: 45c1923008adaf492b3dc735f0795fb6801f190f85a5fd9c959c5b60691cc93d
Opcode Fuzzy Hash: 26761c60a35de7da804ddc60fd3569eb2d525dcb7c1e48995331b88ae76008bc
Instruction Fuzzy Hash: 1B416935A00902EBDF216BB98C5ABAF3FA4FF81371F140627FC19C6192F67448495765

Function 005A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005A62E2
ScreenToClient.USER32(?,?), ref: 005A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 005A6382

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 52ec338d578cd0c20444c3495194bd77716a393a8eaf88a09e74580a5eab00b8
Instruction ID: 1750203f7b1eaf19aaf35c07f46c79752b1c70fb1ba27bb79646e6d86bf0eadb
Opcode Fuzzy Hash: 52ec338d578cd0c20444c3495194bd77716a393a8eaf88a09e74580a5eab00b8
Instruction Fuzzy Hash: 2D514A74A00249EFCF14DF68D880AAE7BB5FF96360F14856AF8159B290D730ED81DB90

Function 00591AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00591AFD
WSAGetLastError.WSOCK32 ref: 00591B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00591B8A
WSAGetLastError.WSOCK32 ref: 00591B94

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: d386b4f7722a9fc0b3e674156dc7e61f4f639ac5e84bb701d39eff38a64f1088
Instruction ID: ed1b5fd3ae5a4b8d786e99ed45286a4aa5f3ed9e37243dcd300ca3a35e9a8f94
Opcode Fuzzy Hash: d386b4f7722a9fc0b3e674156dc7e61f4f639ac5e84bb701d39eff38a64f1088
Instruction Fuzzy Hash: 2441A1346406126FEB20AF24C88AF657BE6BF85718F548448F5169F3D2D772ED828B90

Function 0054B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7603d5051b786705936bdacf40334e1075eeceb1d4241edf7a44a93e8efea392
Instruction ID: f48dd1b68af5ac0b5d65c0a7d208a9d4479702f63bf4235af218ce3b1c1782fe
Opcode Fuzzy Hash: 7603d5051b786705936bdacf40334e1075eeceb1d4241edf7a44a93e8efea392
Instruction Fuzzy Hash: 2A41E675A00705AFEB249F38CC46BEABFA9FBC8714F10452AF555DB682D771D9018780

Function 005856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00585783
GetLastError.KERNEL32(?,00000000), ref: 005857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005857FA

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b56dcd06be71e784add282c570a71e1f1363500182236f832993702df914d5a6
Instruction ID: 97622cd1184923acccc44fbc011619ff12179e0308cad823a8e074549deb3814
Opcode Fuzzy Hash: b56dcd06be71e784add282c570a71e1f1363500182236f832993702df914d5a6
Instruction Fuzzy Hash: 5C410839600611DFDB11EF15C449A5EBFF2BF89320B198488E84AAB362DB30FD41DB91

Function 0054D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00536D71,00000000,00000000,005382D9,?,005382D9,?,00000001,00536D71,?,00000001,005382D9,005382D9), ref: 0054D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0054D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0054D9AB
__freea.LIBCMT ref: 0054D9B4

Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 580bf88760472203997ed1162c675482d3fdf208579fbfb91a578e2191407046
Instruction ID: dc9ba10fea6b5aaf33a3f7abd3d426312178b81510ae4826cd85b99abcd707ec
Opcode Fuzzy Hash: 580bf88760472203997ed1162c675482d3fdf208579fbfb91a578e2191407046
Instruction Fuzzy Hash: 6E31A872A0020AABDF248F64DC49AEE7FB5FB41354F050169EC04D62A0EB358D54CBA0

Function 005A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 005A5352
GetWindowLongW.USER32(?,000000F0), ref: 005A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005A53A8

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 74731ac663ca00aec47cdf147cc1082140f03bd06720b5b4c25fdb16dda904ee
Instruction ID: 25cbc3b5dc07b2c93bd2823fcccbc58678022017fe9f4e6f55f5a47f6e17b9a6
Opcode Fuzzy Hash: 74731ac663ca00aec47cdf147cc1082140f03bd06720b5b4c25fdb16dda904ee
Instruction Fuzzy Hash: 3331C134A55A08EFEF249E14CC45FEC3F65BB96390F984803FA11961E1E7B09940AB41

Function 0057AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0057ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0057AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0057AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0057ACC6

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 70d1605154a81490c527c4639d5994a4193afb5e76bfdd890b407a326cd9d707
Instruction ID: 48b198dd83313fb857cdd5a0f827b44f9b8d15db2bf5d32bf5664fbce874f750
Opcode Fuzzy Hash: 70d1605154a81490c527c4639d5994a4193afb5e76bfdd890b407a326cd9d707
Instruction Fuzzy Hash: A631E730A00618BFFF26CB65A809BFE7EA9BBC5310F04C61AF489561D1C3758D85A752

Function 005A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005A769A
GetWindowRect.USER32(?,?), ref: 005A7710
PtInRect.USER32(?,?,005A8B89), ref: 005A7720
MessageBeep.USER32(00000000), ref: 005A778C

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: bca1ddb3d3754f72d57eb063424e8c0488189e73f960527e9d4657b79a9a7384
Instruction ID: 027ccd4b9684eaa5016031f3e9ebcee76028b9eb94039745946855cd2a3821d0
Opcode Fuzzy Hash: bca1ddb3d3754f72d57eb063424e8c0488189e73f960527e9d4657b79a9a7384
Instruction Fuzzy Hash: 3E418738A096599FCB01CF58CC94EADBFF4FB9E300F1940A8E854DB261C730A985DB90

Function 005A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005A16EB

Part of subcall function 00573A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00573A57
Part of subcall function 00573A3D: GetCurrentThreadId.KERNEL32 ref: 00573A5E
Part of subcall function 00573A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005725B3), ref: 00573A65

GetCaretPos.USER32(?), ref: 005A16FF
ClientToScreen.USER32(00000000,?), ref: 005A174C
GetForegroundWindow.USER32 ref: 005A1752

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 5391be74a83a66b3b512acd3c74d2ba2f998e340167ace881ce08b96ff4f5cc6
Instruction ID: 697dcada456007c4ff9dd02e4da64457bfeb40fe9f98f048e87ef06e840727e9
Opcode Fuzzy Hash: 5391be74a83a66b3b512acd3c74d2ba2f998e340167ace881ce08b96ff4f5cc6
Instruction Fuzzy Hash: 50310C75D00249AFDB04EFA9C8858EEBBF9FF89304B5480A9E415A7211D6319E45CBA0

Function 005A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

GetCursorPos.USER32(?), ref: 005A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00567711,?,?,?,?,?), ref: 005A9016
GetCursorPos.USER32(?), ref: 005A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00567711,?,?,?), ref: 005A9094

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b27de6c6acbec6156de4e9a1ab71f2b631d74f07c9319cb743fd2d600a2bce84
Instruction ID: 78e1e6217114ea4b349123317358e3a9b9251f61f825ac4805193c2b6f17d459
Opcode Fuzzy Hash: b27de6c6acbec6156de4e9a1ab71f2b631d74f07c9319cb743fd2d600a2bce84
Instruction Fuzzy Hash: FB217F35600128EFDB298F94D898EEE7FB9FF8B390F144055F9058B2A1C7319990EB60

Function 0057D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,005ACB68), ref: 0057D2FB
GetLastError.KERNEL32 ref: 0057D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0057D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005ACB68), ref: 0057D376

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 76388cb94e18f9081e65437e31167cb6815e4a75b097ef71fbd79a80eea411c8
Instruction ID: dd30ee54f9184e214da932fee3480280e124b6e1bb3a7ee98d63dbb2bdbe9ca2
Opcode Fuzzy Hash: 76388cb94e18f9081e65437e31167cb6815e4a75b097ef71fbd79a80eea411c8
Instruction Fuzzy Hash: AF2180745042029FC700DF28D8858AA7FF4BE96324F508E1DF499C32A1DB319949DBA3

Function 00571571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00571014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0057102A
Part of subcall function 00571014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00571036
Part of subcall function 00571014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571045
Part of subcall function 00571014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0057104C
Part of subcall function 00571014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005715BE
_memcmp.LIBVCRUNTIME ref: 005715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00571617
HeapFree.KERNEL32(00000000), ref: 0057161E

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3debf4159c497cb798911d18c69181ca6e1f79f5b250571d347ac980f4d9a70e
Instruction ID: d5148ed50c7442a1c90b073f158862b54e62c827c84e81460b17fbc756df0d60
Opcode Fuzzy Hash: 3debf4159c497cb798911d18c69181ca6e1f79f5b250571d347ac980f4d9a70e
Instruction Fuzzy Hash: 9D219C31E00509AFDF14DFA8D948BEEBBB8FF40344F188459E445AB241E730AA04EB54

Function 005A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005A2840

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 9b93295ffbbfb3882e3d93bc96ff2be45b59afdc10db5d78e62b1e771eebfceb
Instruction ID: 529f2b07e0fae0fc4c9482cf087dd956be51e61ec344ad3607c5499105e7dddb
Opcode Fuzzy Hash: 9b93295ffbbfb3882e3d93bc96ff2be45b59afdc10db5d78e62b1e771eebfceb
Instruction Fuzzy Hash: AA21A435604512AFE7149B28C846FAA7F95FF86324F148158F4268B6D2CB75FD82CB90

Function 005778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00578D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0057790A,?,000000FF,?,00578754,00000000,?,0000001C,?,?), ref: 00578D8C
Part of subcall function 00578D7D: lstrcpyW.KERNEL32(00000000,?,?,0057790A,?,000000FF,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00578DB2
Part of subcall function 00578D7D: lstrcmpiW.KERNEL32(00000000,?,0057790A,?,000000FF,?,00578754,00000000,?,0000001C,?,?), ref: 00578DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00577923
lstrcpyW.KERNEL32(00000000,?,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00577949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00577984

Strings

cdecl, xrefs: 0057797B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 716f0494483387d0945d2980e4ef76ff86f5678853b6d289869f9928cd272483
Instruction ID: c69ba510e992c9c8427f7d54099250042fd95d3cfc8c97201ea3779e63ac3bd1
Opcode Fuzzy Hash: 716f0494483387d0945d2980e4ef76ff86f5678853b6d289869f9928cd272483
Instruction Fuzzy Hash: E011EC3A201706AFCB155F34F849D7B7BA9FF99350B50802AF946C72A4EF319811E791

Function 005A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 005A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 005A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0058B7AD,00000000), ref: 005A7D6B

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 86bcf2e8cfd4c51e5233cfbd640f5c5ac2670f4a353a542956bdc9cb07b2583f
Instruction ID: 672f9737c3e61cf425cb86d38485de579685e2f804bc9b47d9c63c41427d65e7
Opcode Fuzzy Hash: 86bcf2e8cfd4c51e5233cfbd640f5c5ac2670f4a353a542956bdc9cb07b2583f
Instruction Fuzzy Hash: 7611AF32604669AFCB149F28CC04AAA3FA5BF4B360B154724F839DB2F0E7309D55DB90

Function 005A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 005A56BB
_wcslen.LIBCMT ref: 005A56CD
_wcslen.LIBCMT ref: 005A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 005A5816

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e992f3e23b6a9c6ffbb7e171d4bece51ceea896cc28284fccf73fd481f471708
Instruction ID: 4bcfde3f289dc3d914e2ea0f8c620b45377d4e0ceca0dd4ffae8d9c544bfb49c
Opcode Fuzzy Hash: e992f3e23b6a9c6ffbb7e171d4bece51ceea896cc28284fccf73fd481f471708
Instruction Fuzzy Hash: F611B1716006099ADF20DF658C85EEE7FACFF56760F104426F915DA081FB709A84CBA0

Function 00541D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1bc1c197c729dd8964e18859e761d5dc2e2d846ec02048a7e35ec4825bf3e45
Instruction ID: 25ddca58d5f73cbe4e0f60a765f8d1d94f8bdab3b11431305e66d46c9fb772a6
Opcode Fuzzy Hash: e1bc1c197c729dd8964e18859e761d5dc2e2d846ec02048a7e35ec4825bf3e45
Instruction Fuzzy Hash: BF017CF2A05A167EF61116786CC4FA76E2DFF913BCB341325B531511D2DB608C809164

Function 00571A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00571A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00571A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00571A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00571A8A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0e31a196838b77742f68b178ae0ac22c09f554d10720ad6bf42074adf9516f73
Instruction ID: 0577911197ff0d9eda2f5f1547808625cc7fdeb60b4ac0123afe4dfc1f0706d7
Opcode Fuzzy Hash: 0e31a196838b77742f68b178ae0ac22c09f554d10720ad6bf42074adf9516f73
Instruction Fuzzy Hash: 5D113C3AD01219FFEB10DBA8CD85FADBB78FB04750F204091E605B7290D6716E50EB94

Function 0057E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0057E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0057E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0057E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0057E24D

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 44bb02ebff3f51d0f81813ce3abf94dedf1ecfccc55a93e6e85c111484fe78b0
Instruction ID: 7a3988581c14abb129092fbf58bd38d92f583a2ca32feb2387fa17234d5a64a6
Opcode Fuzzy Hash: 44bb02ebff3f51d0f81813ce3abf94dedf1ecfccc55a93e6e85c111484fe78b0
Instruction Fuzzy Hash: 2F112B76A04354BBC7059FA8EC4AA9F7FADEB5A310F008655F819D7291D670CD0897A0

Function 0053D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0053CFF9,00000000,00000004,00000000), ref: 0053D218
GetLastError.KERNEL32 ref: 0053D224
__dosmaperr.LIBCMT ref: 0053D22B
ResumeThread.KERNEL32(00000000), ref: 0053D249

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 4a4ffae62088c53692ce58d9f1487e89508639edc2905e7017118c0ec1cd82db
Instruction ID: d45ad4c648fb10770a3f34014536dc83df1b13599ed28869aad4c22a23baeec2
Opcode Fuzzy Hash: 4a4ffae62088c53692ce58d9f1487e89508639edc2905e7017118c0ec1cd82db
Instruction Fuzzy Hash: 8B01C03A805205BBCB215BA5EC09AAB7F79FF82731F100219F925921D0DF718905D7B0

Function 005A9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

GetClientRect.USER32(?,?), ref: 005A9F31
GetCursorPos.USER32(?), ref: 005A9F3B
ScreenToClient.USER32(?,?), ref: 005A9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 005A9F7A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5578a038687e2f0bff2ea6d5d4f21dc66948c0897484569aacecb09d2e02025b
Instruction ID: a50df258e063769a48acc863b38afd84b48810f2e0fc5f85807bdbf2e47dc4d0
Opcode Fuzzy Hash: 5578a038687e2f0bff2ea6d5d4f21dc66948c0897484569aacecb09d2e02025b
Instruction Fuzzy Hash: 9711333290026AAFDF15DFA8D8899EE7BB9FB46311F000455FA02E3140D330BA85DBA1

Function 0051600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0051604C
GetStockObject.GDI32(00000011), ref: 00516060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0051606A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 30323eebe2589afb3f6ad0efc8e340db9e3cd52195892856385bb894bc6ba083
Instruction ID: b107be61bab182dbec4d44bf95da99212bad452a61abb8ec84958de889274cc6
Opcode Fuzzy Hash: 30323eebe2589afb3f6ad0efc8e340db9e3cd52195892856385bb894bc6ba083
Instruction Fuzzy Hash: A611AD72501508BFEF129FA48C48EEABFA9FF1D3A4F000206FA0556110C7329CA0EBA1

Function 00533B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00533B56

Part of subcall function 00533AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00533AD2
Part of subcall function 00533AA3: ___AdjustPointer.LIBCMT ref: 00533AED

_UnwindNestedFrames.LIBCMT ref: 00533B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00533B7C
CallCatchBlock.LIBVCRUNTIME ref: 00533BA4

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: f06acc09e4593976fed23c5dc7da80649af29af9ef4ed75e1183013d4221a169
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: CC01E932100149BBDF125E95CC4AEEB7F69FF98754F044014FE4866121C736E961DBA0

Function 00543073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005113C6,00000000,00000000,?,0054301A,005113C6,00000000,00000000,00000000,?,0054328B,00000006,FlsSetValue), ref: 005430A5
GetLastError.KERNEL32(?,0054301A,005113C6,00000000,00000000,00000000,?,0054328B,00000006,FlsSetValue,005B2290,FlsSetValue,00000000,00000364,?,00542E46), ref: 005430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0054301A,005113C6,00000000,00000000,00000000,?,0054328B,00000006,FlsSetValue,005B2290,FlsSetValue,00000000), ref: 005430BF

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 44481e7845afbf6406d13e7582b9270bbef0e4905ff1adf5a953710904a22a5a
Instruction ID: f2fed4ac56fc8efa5cff5c1b14f288658ecd53835b938a4d63b369a4f0a037f9
Opcode Fuzzy Hash: 44481e7845afbf6406d13e7582b9270bbef0e4905ff1adf5a953710904a22a5a
Instruction Fuzzy Hash: B4012B36301622ABCB314B789C4CA977FD8BF16B65B200720F90DE7160D721DD09C6E0

Function 00577464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0057747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00577497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005774CA

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2196ade24e098f3051b76bb2e59be5ba11d3f95ddb171f1d1f0995e41220346c
Instruction ID: b428db24a8e2cfd7b177b09b814ab7e5dd40fe082681dfb19efc57fad476ba2b
Opcode Fuzzy Hash: 2196ade24e098f3051b76bb2e59be5ba11d3f95ddb171f1d1f0995e41220346c
Instruction Fuzzy Hash: 2D115EB52053199BEB208F24FC09F927FFDFB08B04F10C969A66AD6151D7B0E908EB50

Function 0057B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B126

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b169ba9a6fa6bb47b6f596badd9c1977d522f5af8ac7ca63f8567c3d9dd268cc
Instruction ID: 526469fef58ce4f13997d9a2c1d5ba6b1fd7f46e53ea40b979a20e7d06872028
Opcode Fuzzy Hash: b169ba9a6fa6bb47b6f596badd9c1977d522f5af8ac7ca63f8567c3d9dd268cc
Instruction Fuzzy Hash: 75117930E01529E7DF00AFE4E9A8BEEBF78FF5A311F008486D945B2181CB305655EB51

Function 005A7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005A7E33
ScreenToClient.USER32(?,?), ref: 005A7E4B
ScreenToClient.USER32(?,?), ref: 005A7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005A7E8A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1e280e3c56aff32b69bdec5bdec9877c5820dc004cf936003eb9f78ae03001e2
Instruction ID: 60e71a56bc2d3062af58670129db9526be670adbc4404685b15ec6916335ba2f
Opcode Fuzzy Hash: 1e280e3c56aff32b69bdec5bdec9877c5820dc004cf936003eb9f78ae03001e2
Instruction Fuzzy Hash: 7D1143B9D0020AAFDB41CFA8C8849EEBBF9FB19310F505056E915E3210D735AA54DF90

Function 00572DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00572DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00572DD6
GetCurrentThreadId.KERNEL32 ref: 00572DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00572DE4

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 344b7d775e18aee94c14438d19be04ade4602f15936627034996f612069c5f11
Instruction ID: 95905d093804b29c87b2925ec2f55ab28fb7749f35a8b20dd49f0099a903da29
Opcode Fuzzy Hash: 344b7d775e18aee94c14438d19be04ade4602f15936627034996f612069c5f11
Instruction Fuzzy Hash: 38E092B16012347BD7305B76AC0DFEB3E6CFF63BA1F004015F109D20809AA0C845E6B0

Function 005A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00529639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00529693
Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296A2
Part of subcall function 00529639: BeginPath.GDI32(?), ref: 005296B9
Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 005A8887
LineTo.GDI32(?,?,?), ref: 005A8894
EndPath.GDI32(?), ref: 005A88A4
StrokePath.GDI32(?), ref: 005A88B2

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 86e18fa264ac55a03956f98fa905e907e81f48d66c16808471dbced522369982
Instruction ID: 90fb1ba7bc6ae5c7aaccbfeb9de6460cc5d76bdcd182896492d68d60d2a58c1b
Opcode Fuzzy Hash: 86e18fa264ac55a03956f98fa905e907e81f48d66c16808471dbced522369982
Instruction Fuzzy Hash: ABF03A36045659BADB125F94AC0DFDE3E59BF27310F448000FA11650E2CB795515EBA9

Function 005298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005298CC
SetTextColor.GDI32(?,?), ref: 005298D6
SetBkMode.GDI32(?,00000001), ref: 005298E9
GetStockObject.GDI32(00000005), ref: 005298F1

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: fdf6603537d52c9d4adb0155221fe6a5cb8cc3c0d570d87573f395080bf49304
Instruction ID: babda23092f530fcf023f160b2149b06ff6ffa12fd385980bdd04a0b603c7173
Opcode Fuzzy Hash: fdf6603537d52c9d4adb0155221fe6a5cb8cc3c0d570d87573f395080bf49304
Instruction Fuzzy Hash: 77E06D31644284ABDB215B74BC09BE83F60FB27336F048219F6FA581E1C7724684EB10

Function 0057162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00571634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005711D9), ref: 0057163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005711D9), ref: 00571648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005711D9), ref: 0057164F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 6d78daf8af01a9f0b2d155c7cc239e2065791bb06a459dc144e30e1677b3d84a
Instruction ID: 9fd6a7abfb0923c10368a160921ec55014196553daf74aa5e51fb240e99b5b65
Opcode Fuzzy Hash: 6d78daf8af01a9f0b2d155c7cc239e2065791bb06a459dc144e30e1677b3d84a
Instruction Fuzzy Hash: 70E08635601211DBD7201FA5AD0DB4B3F7CBF66791F148808F245C9080D6344548E754

Function 0056D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0056D858
GetDC.USER32(00000000), ref: 0056D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0056D882
ReleaseDC.USER32(?), ref: 0056D8A3

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: fe3f31decb965d1eff72b2794d78ec19c2547cf145b65ae4249fd8c78f015923
Instruction ID: ca8919bc23010366900ac9e3378c651b0e0ab707e0499b170370e9ed39fb7596
Opcode Fuzzy Hash: fe3f31decb965d1eff72b2794d78ec19c2547cf145b65ae4249fd8c78f015923
Instruction Fuzzy Hash: 69E01AB4800205DFCB419FA4D80C66DBFB1FB19310F108409E806E7350CB388945AF50

Function 0056D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0056D86C
GetDC.USER32(00000000), ref: 0056D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0056D882
ReleaseDC.USER32(?), ref: 0056D8A3

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 587933b3dbc702fa7ea6e77ed2ba42330fd5dfb5924db8b132cafcaaa00c6018
Instruction ID: 967b2f4171f1099f455d179a3d3f2215e27ba0317e127c4cc6dd779dd11b1383
Opcode Fuzzy Hash: 587933b3dbc702fa7ea6e77ed2ba42330fd5dfb5924db8b132cafcaaa00c6018
Instruction Fuzzy Hash: 78E012B4800204EFCB41AFA4D80C66EBFB1BB19310B108408E80AE7360CB38990AAF50

Function 00584D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00584ED4

Strings

*, xrefs: 00584E10
LPT, xrefs: 00584DFB

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 50cdfcd0c80f2875b9d9fafd9d0b68a234cc6281d139b57edf0632c7582f4257
Instruction ID: ec4d1fe4e7100715e07138861d22498cf32366a0cc2e57413c7249f885553b84
Opcode Fuzzy Hash: 50cdfcd0c80f2875b9d9fafd9d0b68a234cc6281d139b57edf0632c7582f4257
Instruction Fuzzy Hash: BB914A75A002059FDB14EF58C484AAABFB5BF48304F198099ED0AAB362D731ED85CF91

Function 0053E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0053E30D

Strings

pow, xrefs: 0053E2E5, 0053E302

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a521351e38fd914cd9748babc6443914a3f291837160b753a9f2b414ba0853ca
Instruction ID: 3c105a0531dd9e4f1d239972786d0b5c7827b106ddec0575143a0e72a3a4b853
Opcode Fuzzy Hash: a521351e38fd914cd9748babc6443914a3f291837160b753a9f2b414ba0853ca
Instruction Fuzzy Hash: 5E515971E1C20A96CB157724C9473FA3FE8FB54744F208E98E095832E9EB309C95AA46

Function 00597771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0056569E,00000000,?,005ACC08,?,00000000,00000000), ref: 005978DD

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

CharUpperBuffW.USER32(0056569E,00000000,?,005ACC08,00000000,?,00000000,00000000), ref: 0059783B

Strings

<s], xrefs: 005977C8

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s]
API String ID: 3544283678-3287859866
Opcode ID: c4a76884b88d05f07e957f978f1b1fa8f9ef946f2e6bf42aa1d9ed41a23ea3ce
Instruction ID: f78ab4f2a3c13ab3eb41a6b18f90cb29e4d93f20758be01d84cf36e5052db489
Opcode Fuzzy Hash: c4a76884b88d05f07e957f978f1b1fa8f9ef946f2e6bf42aa1d9ed41a23ea3ce
Instruction Fuzzy Hash: C9616B7292411AAADF04EBA4CC95DFDBB78FF58300F540926E542A3191EF306A85DBA0

Function 0052E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0052E1B1

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 062fbf136d46e73707fe612dc6a337b1a9c836dc6ced405d3322aff0f2940067
Instruction ID: 66adfff15f52614cec2f1f134505b049b2068563e8ecacdaee075e01aa8943b8
Opcode Fuzzy Hash: 062fbf136d46e73707fe612dc6a337b1a9c836dc6ced405d3322aff0f2940067
Instruction Fuzzy Hash: A1513339502296DFDF15DF28D086AFA7FA8FF66310F644055E8929B2C0D6349D82CBA0

Function 0052F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0052F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0052F2BB

Strings

@, xrefs: 0052F2AF

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c74dde67e1f6d21e205f5e19fd96fb59d69fa193dacbb454621c85b518957ae6
Instruction ID: c7a2995c9ab9ec5f6a5ad5f1cdfd9c427da7dc9de0f0fd6f0e4bc561255378ce
Opcode Fuzzy Hash: c74dde67e1f6d21e205f5e19fd96fb59d69fa193dacbb454621c85b518957ae6
Instruction Fuzzy Hash: 95514971408B499BE320AF14DC8ABABBBF8FFD9300F81485DF1D941195EB318569CB66

Function 00595745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005957E0
_wcslen.LIBCMT ref: 005957EC

Strings

CALLARGARRAY, xrefs: 005957E6, 005957EB

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 92714ac8121d4e3579a21eab9b2995cc6c0dae05a0094faa19f3c06a8767730d
Instruction ID: 1c137534ec4c76d0c473b9da2367f8f55f118cdcbbcc352f0b521fcfa437f5d1
Opcode Fuzzy Hash: 92714ac8121d4e3579a21eab9b2995cc6c0dae05a0094faa19f3c06a8767730d
Instruction Fuzzy Hash: 42418071A0010A9FCF15DFA9D8899EEBFF5FF99320F244069E505A7291E7309D91CB90

Function 0058D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0058D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0058D13A

Strings

|, xrefs: 0058D10B

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 8dc1b1c69ce2af2d77bf59b796b38f88908ad9efa361b3b3ab525f61b27950a0
Instruction ID: 20de1884158e0cb95b0cdf2d8ee3d4ff1b41bc96ce37ac12595cdfae6ab8a7f9
Opcode Fuzzy Hash: 8dc1b1c69ce2af2d77bf59b796b38f88908ad9efa361b3b3ab525f61b27950a0
Instruction Fuzzy Hash: 91311A71D0020AABDF15EFA4CC89AEFBFB9FF44300F000119F815A6165DB31AA56DB60

Function 005A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005A365C

Strings

static, xrefs: 005A35BC

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 122e22337bc0781ba20589693aa950e43beab676233fb604c540f61636c4bd61
Instruction ID: ec25a2110fa329503b0883681e4de8e28bc733ad666cfcda874b9030258fb835
Opcode Fuzzy Hash: 122e22337bc0781ba20589693aa950e43beab676233fb604c540f61636c4bd61
Instruction Fuzzy Hash: 2231AD71500204AEEB109F68DC84EFF7BA9FF89724F008619F8A597280DA31AD81D760

Function 005A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 005A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005A4634

Strings

', xrefs: 005A458E

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b4c3178dca700e86665d0cc00e29ceb6bbc411a83cd23056dbacc146c5d51745
Instruction ID: cf6a83b4df17a8db4cdfa2242298cf86384d68b0ab00f160ebbea7432901c601
Opcode Fuzzy Hash: b4c3178dca700e86665d0cc00e29ceb6bbc411a83cd23056dbacc146c5d51745
Instruction Fuzzy Hash: 11310774A0120A9FDB14CFA9C990BEE7BB5FF8A300F14446AE905AB351D7B0A941DF90

Function 005A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A3287

Strings

Combobox, xrefs: 005A3249

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 15a5f86fe614abad92210b838aafd138aa582b47e32194301fab63345ff049fc
Instruction ID: 2066e20eb525f80fa94064adbde64d5f5ed8f3dafd71121173266e5b07c47926
Opcode Fuzzy Hash: 15a5f86fe614abad92210b838aafd138aa582b47e32194301fab63345ff049fc
Instruction Fuzzy Hash: CF11D0752002086FEF219E94DC84FBF3F6AFF9A3A8F100125F9189B290D6319D5197A0

Function 005A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0051600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0051604C
Part of subcall function 0051600E: GetStockObject.GDI32(00000011), ref: 00516060
Part of subcall function 0051600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051606A

GetWindowRect.USER32(00000000,?), ref: 005A377A
GetSysColor.USER32(00000012), ref: 005A3794

Strings

static, xrefs: 005A3757

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 43475b6a7eb57b70b17046f5870abbcdfba026bbd09eba550e85b5845f200ab2
Instruction ID: 134114b73b3ec6008c4fdbef1b1a556f0835499b4b2661c04ee85addd2195076
Opcode Fuzzy Hash: 43475b6a7eb57b70b17046f5870abbcdfba026bbd09eba550e85b5845f200ab2
Instruction Fuzzy Hash: 7B1129B261020AAFDB00DFA8CC45EFE7BF8FB09354F004914F955E2250E735E9559B60

Function 0058CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0058CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0058CDA6

Strings

<local>, xrefs: 0058CD66

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: cf2ae006d965c32106c1efc617839c36901c7fc09f0c90bbf92d7c5d563d3e4c
Instruction ID: fb1ba8f2978b495ded9addbb0a05f2c7d65b8cdca9bcddf79a4e286ef4275730
Opcode Fuzzy Hash: cf2ae006d965c32106c1efc617839c36901c7fc09f0c90bbf92d7c5d563d3e4c
Instruction Fuzzy Hash: A811C671206671BAD7347B668C45EE7BEACFF127A4F00462AB909A3180D7709845D7F0

Function 005A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005A34BA

Strings

edit, xrefs: 005A348F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 32e96a35f1f56fee2827c0d10b76a75478074af331fc01c2f331f47d7758c70d
Instruction ID: 9d9a95a7db6a4abb988c022aa4904b02f30f53cebd6b163eaa9ec8997abdc26b
Opcode Fuzzy Hash: 32e96a35f1f56fee2827c0d10b76a75478074af331fc01c2f331f47d7758c70d
Instruction Fuzzy Hash: 52116D71500208AFEF118E64DC48AAF3F6AFB5A378F504724FA61971D0C771DC959B60

Function 00576C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

CharUpperBuffW.USER32(?,?,?), ref: 00576CB6
_wcslen.LIBCMT ref: 00576CC2

Strings

STOP, xrefs: 00576CBC, 00576CC1

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 48ef831d5bccab33e5c52a4888385ecd87bd05b936b692faa66cfa2d71c84213
Instruction ID: 3d49b2ca4b2bfd66e2ba967bda0ef6c6f227092774e8f1505fe71e82b8efa2d0
Opcode Fuzzy Hash: 48ef831d5bccab33e5c52a4888385ecd87bd05b936b692faa66cfa2d71c84213
Instruction Fuzzy Hash: C30104326109278ACB219FBDEC849FF3FA8FAA1710B504924E85697190EB31DD40D650

Function 00571CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00571D4C

Strings

ComboBox, xrefs: 00571CEB
ListBox, xrefs: 00571D16

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 61515f577900a0b1658e153a8864883cc219f3891f7cfca2c53f4e1eb5d5e1b2
Instruction ID: 56c65606ad72fa43332b8947cc37f72f61f05648d94eab46ad98a48e6579370e
Opcode Fuzzy Hash: 61515f577900a0b1658e153a8864883cc219f3891f7cfca2c53f4e1eb5d5e1b2
Instruction Fuzzy Hash: 06012831600215ABDB24EFA8DC55CFE7F68FF82390F00491AF866573C1EA305908AA60

Function 00571BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00571C46

Strings

ComboBox, xrefs: 00571BE5
ListBox, xrefs: 00571C10

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: efe651c9493d0f528e7c4a7d4f627ef353659f84160671756b816cbee4653579
Instruction ID: 1ed53540a4fb225e058c0ca27bc0fbcb6ae22f75b40d3c3dadd142d70f95ccc8
Opcode Fuzzy Hash: efe651c9493d0f528e7c4a7d4f627ef353659f84160671756b816cbee4653579
Instruction Fuzzy Hash: 1401FC7164010566DB15E7D4D95A9FF7FACBF51340F200016A80A672C1EA209E08A6B5

Function 00571C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00571CC8

Strings

ComboBox, xrefs: 00571C69
ListBox, xrefs: 00571C94

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5236eee65be101673e819480d9aa51cae9b5e414ae6b3e37adac3c6d15ee0cc8
Instruction ID: 8e6eb290ae1d6c6b4aab50148884e3fb06073902ca1ef74948d86ff6d13b0da8
Opcode Fuzzy Hash: 5236eee65be101673e819480d9aa51cae9b5e414ae6b3e37adac3c6d15ee0cc8
Instruction Fuzzy Hash: CC012B7164051567DB15EBD8DA16AFE7FACBF51380F104016B84677281EA208F08E2B5

Function 0052A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0052A529

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Strings

,%^, xrefs: 0052A509
3yV, xrefs: 0052A545, 0052A54D, 0052A552

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%^$3yV
API String ID: 2551934079-817577063
Opcode ID: 3d492e377663612434aeece31e17e115a4dd26e799b10a603d7cd03b3f516d98
Instruction ID: 7c970d733234b0c6971b9745d9ffd2b6b1bc791d4476596c126bdaaeb97af815
Opcode Fuzzy Hash: 3d492e377663612434aeece31e17e115a4dd26e799b10a603d7cd03b3f516d98
Instruction Fuzzy Hash: 6401F73270066197CE08F768E86FA9E7F68BF86710F401425F9025B1C2DE509D458AD7

Function 00571D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00571DD3

Strings

ComboBox, xrefs: 00571D75
ListBox, xrefs: 00571DA0

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c1906120f15ece6188a70272699d37bdf878a5bdd94cb6e4fbb33a2b7b03104e
Instruction ID: 71db3bd30f6f6bb1b2676e8472bfb60ce74419c7ba3cd27692c5cc23827dc00c
Opcode Fuzzy Hash: c1906120f15ece6188a70272699d37bdf878a5bdd94cb6e4fbb33a2b7b03104e
Instruction Fuzzy Hash: DCF04970A0021566E714E7A8DC56BFE7F6CBF42390F040816B866632C1EA205D0896A0

Function 005A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005E3018,005E305C), ref: 005A81BF
CloseHandle.KERNEL32 ref: 005A81D1

Strings

\0^, xrefs: 005A818A

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0^
API String ID: 3712363035-3379709126
Opcode ID: 32db07969f3fce4702b68c3c4357e8697df40c1f1b821e513b0bd5300fc3f239
Instruction ID: 199575348d26d12ddfc890ce9e6295e2c54b067e2b0307b05e0c5fef0570b743
Opcode Fuzzy Hash: 32db07969f3fce4702b68c3c4357e8697df40c1f1b821e513b0bd5300fc3f239
Instruction Fuzzy Hash: AAF089B1640340BEE7246761AC4DFB73E9CEB15750F000461FB48DB1A1D6758E14A3F4

Function 0059747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00597493
_wcslen.LIBCMT ref: 005974B9

Strings

3, 3, 16, 1, xrefs: 00597483

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b97c82e97b9f76108d7faa4ffa72d9c8ab74e129d18355eba94377ff6c9fba8e
Instruction ID: 0dbe8ab5f30028e2020a1f2af57ed84f5bd2056c98449352165aaefa24bcd8b5
Opcode Fuzzy Hash: b97c82e97b9f76108d7faa4ffa72d9c8ab74e129d18355eba94377ff6c9fba8e
Instruction Fuzzy Hash: 5FE02B03225321109B3112799CC5B7F5F8DFFCD760B14182BF989C2267EAA49D9193A0

Function 00570B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00570B23

Strings

Error allocating memory., xrefs: 00570B1C
AutoIt, xrefs: 00570B17

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 98abebc8b2982cb242bf095458a39acc3f204d975030be5e7b8d515a1a203ba3
Instruction ID: 7e4c69ad8a3154ecb3eab911f476bee69323bb0faac76fd07e8a519cd20152dc
Opcode Fuzzy Hash: 98abebc8b2982cb242bf095458a39acc3f204d975030be5e7b8d515a1a203ba3
Instruction Fuzzy Hash: 8AE0D8322443192AD31437547C07F8D7FC8FF06B20F10042BF758555C38EE1689056A9

Function 00530D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0052F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00530D71,?,?,?,0051100A), ref: 0052F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0051100A), ref: 00530D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0051100A), ref: 00530D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00530D7F

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: aea7f27dbaea130a961ef3b5b8875058a0ec245fa07bdaa42d00e76bec545277
Instruction ID: 928c34918856d7bb29dd197693750a8d2d268d4c437d567f50edcac5761334f2
Opcode Fuzzy Hash: aea7f27dbaea130a961ef3b5b8875058a0ec245fa07bdaa42d00e76bec545277
Instruction Fuzzy Hash: A8E06D742007518BD7609FB8E41834A7FE4BF15744F004D2DE4C2C6691DBB0E4889B91

Function 0052E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0052E3D5

Strings

0%^, xrefs: 0052E3B5
8%^, xrefs: 0052E3CA

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%^$8%^
API String ID: 1385522511-2219163478
Opcode ID: 9d555d80d306128dcd2a2438f01b95a601c879dab61278852ec3b23f3fed72d9
Instruction ID: 109e54cbb7a2779ec71da4751c73cd58f25d60cdef7062a304f4a2b57a14564b
Opcode Fuzzy Hash: 9d555d80d306128dcd2a2438f01b95a601c879dab61278852ec3b23f3fed72d9
Instruction Fuzzy Hash: E9E02631400BB4CBC60CD718FAAAA8C3B99BF66321F1019AAE0828F1DDDBB038419654

Function 00583017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0058302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00583044

Strings

aut, xrefs: 00583038

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 038fd748eb899c10e404d46cb98af4203e423808cc145bea8e3fd1be1bbd4c8d
Instruction ID: 6349e2c1f7829ac0352a18ac60e74142055a2daec3e7fff74015cc1ae81553e9
Opcode Fuzzy Hash: 038fd748eb899c10e404d46cb98af4203e423808cc145bea8e3fd1be1bbd4c8d
Instruction Fuzzy Hash: 27D05B7550031467DB3097949D0DFC73F6CDB05750F0001927795D2091DAB09544CAD0

Function 0056D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0056D220

Strings

%.3d, xrefs: 0056D22B
X64, xrefs: 0056D2A8

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b8409e17d4200147f0b9e367c3f296fab4efbdfc5dee24edf01ed9c74ccb4cf2
Instruction ID: 729f93c779faf7c5fefaa4e5baeb76e7960134e890187afc99c36b062005929c
Opcode Fuzzy Hash: b8409e17d4200147f0b9e367c3f296fab4efbdfc5dee24edf01ed9c74ccb4cf2
Instruction Fuzzy Hash: 08D012B9D08119EACB9096D0DC599B9BF7CBF19301F508C63F80693040E728C5086771

Function 005A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005A236C
PostMessageW.USER32(00000000), ref: 005A2373

Part of subcall function 0057E97B: Sleep.KERNEL32 ref: 0057E9F3

Strings

Shell_TrayWnd, xrefs: 005A2365

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7b2092d33540409cbf0eaf3ec833ed144daefd482c603b64476492f20de3fcf9
Instruction ID: ec4612f7faff35dbf9ca8e59b975b5bf59650b54b771ba011fdf326b28704b8e
Opcode Fuzzy Hash: 7b2092d33540409cbf0eaf3ec833ed144daefd482c603b64476492f20de3fcf9
Instruction Fuzzy Hash: 6DD0C9327813147AE674A774AC0FFC67E14AB6AB10F0049167755AA1D0C9A0A8059A54

Function 005A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005A233F

Part of subcall function 0057E97B: Sleep.KERNEL32 ref: 0057E9F3

Strings

Shell_TrayWnd, xrefs: 005A2325

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0c05fbe7688509eec5cb5da9749bcd971773cbf62077507603128322a26c8ae8
Instruction ID: 8de9d5149be15e572fdd04aa17f7a7b24b8beb12ead648874b83316531c9eaa7
Opcode Fuzzy Hash: 0c05fbe7688509eec5cb5da9749bcd971773cbf62077507603128322a26c8ae8
Instruction Fuzzy Hash: E8D0C936794314BAE674A774AC0FFC67E14AB66B10F0049167759AA1D0C9A0A8059A54

Function 0054BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0054BE93
GetLastError.KERNEL32 ref: 0054BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0054BEFC

Memory Dump Source

Source File: 00000000.00000002.1733867331.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1733842956.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1733965812.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734051572.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1734085327.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 7aadc3fd7e1c94f39ff6b3d1abf2761b74e65f37c85b50beb53bc8cc30d48b33
Instruction ID: d452c11331f3303bf01371c9cfd767e24b744700ee79f0f7602882199bd2f8ef
Opcode Fuzzy Hash: 7aadc3fd7e1c94f39ff6b3d1abf2761b74e65f37c85b50beb53bc8cc30d48b33
Instruction Fuzzy Hash: A141C234604206BBEF258F65CC88AEA7FA9BF82314F144169F95D971A2DB31CD05DB50

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1896815041.00002A5696903000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 5www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1914246875.0000019753920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1858120289.0000019753948000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1858120289.0000019753934000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1858120289.0000019753948000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1858120289.0000019753934000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1904356601.0000019750E45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1914246875.0000019753920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1858120289.0000019753948000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1858120289.0000019753934000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1858120289.0000019753948000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1858120289.0000019753934000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.2927625017.000001E4D9B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2928047343.0000018C0B00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.2927625017.000001E4D9B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2928047343.0000018C0B00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.2927625017.000001E4D9B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2928047343.0000018C0B00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1858120289.0000019753948000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1904356601.0000019750E45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1896815041.00002A5696903000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1914246875.0000019753920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1907825391.0000019750E5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.116.101:443 -> 192.168.2.4:56618 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:56647 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:56648 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:56646 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.116.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.116.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.116.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.116.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.116.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.116.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.116.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.116.101
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.116.101
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56646 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56646
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56647
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56648
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56618 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56618
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56619
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56813
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56648 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56619 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56647 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_559cd4d8-ed0c-425b-a9f8-980949088ac5.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_559cd4d8-ed0c-425b-a9f8-980949088ac5.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre