Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1543500
MD5:	158a88b989303eb0443db400eea08e23
SHA1:	492ee65174fb3e1739c9a117099f80b816575022
SHA256:	18d9e19df2cc995fd5e2f0c0b5f74c79b08c7f6d139f49e46f7cb893e3685950
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 158A88B989303EB0443DB400EEA08E23)

taskkill.exe (PID: 7308 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7408 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7472 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7536 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7600 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7664 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7696 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7712 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7956 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4545e727-0c1a-4468-96bf-5b74738a9406} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 2410036fd10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7572 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3572 -parentBuildID 20230927232528 -prefsHandle 4496 -prefMapHandle 4492 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11f93443-0807-4a81-8b55-bb39ff0fc5bb} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 24110c63e10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7212 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b805f6f-7f96-4d47-a250-29f74ce1fae6} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 24100371b10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1749194237.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
00000000.00000003.1749451115.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 7292	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0058EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0058EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0058ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0058ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0058EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0057AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0057AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_005A9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2ba3ad1e-7
Source: file.exe, 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_186672ef-8
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1d3fc00a-4
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2e440f1c-0

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001BAF5C29272 NtQuerySystemInformation,		16_2_000001BAF5C29272
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001BAF5C22CF7 NtQuerySystemInformation,		16_2_000001BAF5C22CF7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0057D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0057D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00571201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00571201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0057E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0057E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051BF40	0_2_0051BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00582046	0_2_00582046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00518060	0_2_00518060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00578298	0_2_00578298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054E4FF	0_2_0054E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054676B	0_2_0054676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A4873	0_2_005A4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051CAF0	0_2_0051CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053CAA0	0_2_0053CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052CC39	0_2_0052CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00546DD9	0_2_00546DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052B119	0_2_0052B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005191C0	0_2_005191C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00531394	0_2_00531394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00531706	0_2_00531706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053781B	0_2_0053781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052997D	0_2_0052997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00517920	0_2_00517920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005319B0	0_2_005319B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00537A4A	0_2_00537A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00531C77	0_2_00531C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00537CA7	0_2_00537CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059BE44	0_2_0059BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00549EEE	0_2_00549EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00531F32	0_2_00531F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001BAF5C29272	16_2_000001BAF5C29272
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001BAF5C22CF7	16_2_000001BAF5C22CF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001BAF5C2999C	16_2_000001BAF5C2999C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000001BAF5C292B2	16_2_000001BAF5C292B2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0052F9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00530A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/41@73/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005837B5 GetLastError,FormatMessageW,

0_2_005837B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005710BF AdjustTokenPrivileges,CloseHandle,		0_2_005710BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005716C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005851CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0057D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0057D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0058648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0058648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005142A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1936841140.0000024118764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1936841140.0000024118764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1936841140.0000024118764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1936841140.0000024118764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1936841140.0000024118764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1936841140.0000024118764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1936841140.0000024118764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1936841140.0000024118764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1936841140.0000024118764000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	ReversingLabs: Detection: 47%
Source: file.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4545e727-0c1a-4468-96bf-5b74738a9406} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 2410036fd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3572 -parentBuildID 20230927232528 -prefsHandle 4496 -prefMapHandle 4492 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11f93443-0807-4a81-8b55-bb39ff0fc5bb} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 24110c63e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b805f6f-7f96-4d47-a250-29f74ce1fae6} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 24100371b10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4545e727-0c1a-4468-96bf-5b74738a9406} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 2410036fd10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3572 -parentBuildID 20230927232528 -prefsHandle 4496 -prefMapHandle 4492 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11f93443-0807-4a81-8b55-bb39ff0fc5bb} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 24110c63e10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b805f6f-7f96-4d47-a250-29f74ce1fae6} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 24100371b10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 0000000D.00000003.1966125840.000002411B911000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000D.00000003.1969719121.000002410DA9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000D.00000003.1971594718.000002410DA9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000D.00000003.1969719121.000002410DA9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1968246443.000002411B911000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 0000000D.00000003.1966125840.000002411B911000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000D.00000003.1971594718.000002410DA9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1968246443.000002411B911000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005142DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00530A76 push ecx; ret

0_2_00530A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0052F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0052F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_005A1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96273

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001BAF5C29272 rdtsc

16_2_000001BAF5C29272

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0057DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0057DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005868EE FindFirstFileW,FindClose,	0_2_005868EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0058698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0057D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0057D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0057D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0057D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00589642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00589642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0058979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00589B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00589B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00585C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00585C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005142DE

Source: firefox.exe, 00000010.00000002.3545074855.000001BAF581A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: firefox.exe, 00000010.00000002.3549439283.000001BAF6140000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3544826444.000001DF53E1A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3548877056.000001DF54200000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3549281617.00000207F7D17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3549439283.000001BAF6140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]w
Source: firefox.exe, 0000000F.00000002.3545307610.00000207F77DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`Av
Source: firefox.exe, 0000000F.00000002.3545307610.00000207F77DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW c
Source: firefox.exe, 0000000F.00000002.3545307610.00000207F77DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWvl\|
Source: firefox.exe, 0000000F.00000002.3549749106.00000207F7E08000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3549439283.000001BAF6140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000001BAF5C29272 rdtsc

16_2_000001BAF5C29272

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0058EAA2 BlockInput,

0_2_0058EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00542622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00542622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005142DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00534CE8 mov eax, dword ptr fs:[00000030h]

0_2_00534CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00570B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00570B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00542622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00542622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0053083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005309D5 SetUnhandledExceptionFilter,	0_2_005309D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00530C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00530C21

Source: C:\Users\user\Desktop\file.exe

0_2_00571201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00552BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00552BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0057B226 SendInput,keybd_event,

0_2_0057B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_005922DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00570B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00571663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00571663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00530698 cpuid

0_2_00530698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00588195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00588195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0056D27A GetUserNameW,

0_2_0056D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0054BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0054BB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005142DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1749194237.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1749451115.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7292, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1749194237.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1749451115.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7292, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00591204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00591204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00591806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00591806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	41%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://xhr.spec.whatwg.org/#sync-warning	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe
http://json-schema.org/draft-07/schema#-	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	0%	URL Reputation	safe
https://www.wykop.pl/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.253.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.129	true	false		unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false		unknown
services.addons.mozilla.org	151.101.1.91	true	false		unknown
dyna.wikimedia.org	185.15.59.224	true	false		unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false		unknown
contile.services.mozilla.com	34.117.188.166	true	false		unknown
youtube.com	142.250.184.206	true	false		unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false		unknown
youtube-ui.l.google.com	142.250.74.206	true	false		unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false		unknown
reddit.map.fastly.net	151.101.129.140	true	false		unknown
ipv4only.arpa	192.0.0.170	true	false		unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false		unknown
push.services.mozilla.com	34.107.243.93	true	false		unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false		unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false		unknown
www.reddit.com	unknown	unknown	false		unknown
spocs.getpocket.com	unknown	unknown	false		unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false		unknown
support.mozilla.org	unknown	unknown	false		unknown
firefox.settings.services.mozilla.com	unknown	unknown	false		unknown
www.youtube.com	unknown	unknown	false		unknown
www.facebook.com	unknown	unknown	false		unknown
detectportal.firefox.com	unknown	unknown	false		unknown
normandy.cdn.mozilla.net	unknown	unknown	false		unknown
shavar.services.mozilla.com	unknown	unknown	false		unknown
www.wikipedia.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000D.00000003.1946990203.0000024113684000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792910474.0000024113A31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923635183.0000024113683000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942117948.0000024113A4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3546366136.000001BAF5BC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3546546206.000001DF541D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1931020318.0000024119ACE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3546693324.00000207F7BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3546366136.000001BAF5BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3549073453.000001DF54303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1774134355.0000024118823000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1775182206.0000024118816000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903982039.0000024118816000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1865156176.0000024118816000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000014.00000002.3546546206.000001DF5418F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000D.00000003.1802713041.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791649569.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931020318.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1944969328.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918680414.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000D.00000003.1945352729.00000241187FC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1792097373.00000241187B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938756043.000002411858E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000D.00000003.1794994215.0000024110A0F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1919361885.00000241197E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1794627454.000002411135A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738200641.000002411001F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738036961.000002410FE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738726212.0000024110077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738379351.000002411003C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1779175781.0000024110BC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1934949221.00000241192A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779175781.0000024110BE8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000D.00000003.1792910474.0000024113A14000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000D.00000003.1940509024.000002411845B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1738566380.000002411005A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881250591.0000024119142000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738200641.000002411001F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738036961.000002410FE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867394012.0000024119142000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738726212.0000024110077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738379351.000002411003C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000D.00000003.1923635183.0000024113674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947043348.0000024113674000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1738566380.000002411005A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738200641.000002411001F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738036961.000002410FE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738726212.0000024110077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738379351.000002411003C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000D.00000003.1792696509.0000024118220000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000D.00000003.1792097373.00000241187B4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000D.00000003.1802713041.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791649569.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931020318.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1944969328.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918680414.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3546693324.00000207F7BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3546366136.000001BAF5BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3549073453.000001DF54303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.instagram.com/	firefox.exe, 0000000D.00000003.1807626734.000002411144C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1805918708.000002411144E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1841990900.000002411144C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1802713041.0000024119A61000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000D.00000003.1940509024.000002411847D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3546693324.00000207F7BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3546366136.000001BAF5BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3549073453.000001DF54303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false		unknown
https://www.youtube.com/	firefox.exe, 00000014.00000002.3546546206.000001DF5410C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1951008802.00000241126DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000D.00000003.1945352729.00000241187FC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000D.00000003.1946990203.0000024113684000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792910474.0000024113A31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923635183.0000024113683000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942117948.0000024113A4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3546366136.000001BAF5BC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3546546206.000001DF541D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000D.00000003.1923209545.00000241140B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1941322146.00000241140B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1777695946.00000241185A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1777473779.00000241186BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1807626734.00000241114CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1805918708.00000241114CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1860652966.00000241114D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1860365377.00000241114CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1805007995.00000241114CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1934949221.00000241192EA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1934949221.00000241192A3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1934839666.00000241192FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000D.00000003.1940509024.000002411847D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1792097373.00000241187B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3546366136.000001BAF5B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3546546206.000001DF54113000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000D.00000003.1945352729.00000241187FC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false	URL Reputation: safe	unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000D.00000003.1792910474.0000024113A14000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1841990900.00000241114DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869262952.00000241114C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903982039.0000024118872000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1807626734.00000241114CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1799479243.0000024111677000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886481116.00000241112C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1801736862.0000024111671000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1869262952.00000241114C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898082990.000002411160D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1799479243.000002411163A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879874030.0000024111642000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1912391450.00000241114BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947408964.000002411364E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792297176.000002411848D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1805007995.00000241114C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873949705.00000241116C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898431160.0000024111638000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1922645319.00000241184E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792297176.00000241184CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792297176.000002411844C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1805918708.00000241114CC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1923635183.0000024113674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947043348.0000024113674000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000D.00000003.1794031114.0000024112044000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1923635183.0000024113674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1947043348.0000024113674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1948233924.0000024112CF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1925156745.0000024112CF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000D.00000003.1792297176.000002411848D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1940448385.0000024118495000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1941538046.0000024113ADD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923466951.0000024113ADD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792097373.00000241187EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792775580.0000024113AE4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1941538046.0000024113ADD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923466951.0000024113ADD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792097373.00000241187EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792775580.0000024113AE4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1775182206.0000024118816000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903982039.0000024118816000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1865156176.0000024118816000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1935876761.00000241187C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919766075.00000241187B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792097373.00000241187B4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000D.00000003.1940509024.000002411845B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000D.00000003.1792097373.00000241187B4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1870810277.000002410EA39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1740252981.000002410EA33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741607689.000002410EA33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1932980087.0000024119791000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1919623782.000002411978C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1791350941.000002411A2BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918029711.000002411A2B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1907161244.000002411A2B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928479876.000002411A2B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1944467146.000002411A2BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1870810277.000002410EA39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1740252981.000002410EA33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1741607689.000002410EA33000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3546693324.00000207F7BC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3546366136.000001BAF5BE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.3549073453.000001DF54303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	URL Reputation: safe	unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1937272588.0000024118730000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.co.uk/	firefox.exe, 0000000D.00000003.1945352729.00000241187FC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1738379351.000002411003C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000D.00000003.1794523921.0000024111391000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1881250591.0000024119142000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738200641.000002411001F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738036961.000002410FE00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1867394012.0000024119142000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738726212.0000024110077000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1738379351.000002411003C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000D.00000003.1792910474.0000024113A14000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
http://json-schema.org/draft-07/schema#-	firefox.exe, 0000000D.00000003.1802713041.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1791649569.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931020318.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1944969328.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918680414.0000024119AC5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3548790301.00000207F7C00000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3545887871.000001BAF5990000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.3546000420.000001DF53F30000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://www.wykop.pl/	firefox.exe, 0000000D.00000003.1935876761.00000241187F8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/	firefox.exe, 0000000D.00000003.1907161244.000002411A2B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938172126.000002411868A000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
142.250.184.206	youtube.com	United States	15169	GOOGLEUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543500
Start date and time:	2024-10-28 02:17:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/41@73/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 41 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 34.211.181.209, 52.32.18.233, 34.218.156.47, 172.217.18.14, 2.22.61.59, 2.22.61.56, 142.250.185.78, 142.250.185.106, 142.250.186.106
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
dyna.wikimedia.org	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
	file.exe	Get hash	malicious	Credential Flusher	Browse	185.15.59.224
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, XWorm	Browse	185.199.110.133
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	SecuriteInfo.com.FileRepMalware.12585.5759.exe	Get hash	malicious	Unknown	Browse	57.129.0.22
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	57.192.26.160
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	SecuriteInfo.com.FileRepMalware.12585.5759.exe	Get hash	malicious	Unknown	Browse	57.129.0.22
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	57.192.26.160
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c9ccca75-d92c-4a33-b760-9957043a920c.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.184726578169337
Encrypted:	false
SSDEEP:	192:9jMX3D0cbhbVbTbfbRbObtbyEl7nYr8JA6WnSrDtTUd/SkDr3:9YIcNhnzFSJ4rPBnSrDhUd/R
MD5:	A3B69BC4E8458AEEFC5034EDB739DB36
SHA1:	85B554F206D878A82CFC1617F4A88F4E8A858821
SHA-256:	D80FA995FBD74BA467D69C5A6840603A80E7CCC82D2A1FB631362DE70A1D4F45
SHA-512:	9907E909FEBB55F79BA0D4DBD4F0E5E7D32A031DB77BF2D728BA12654161CD97D1B252FE7DF0752835CC499E6AF18DE0856A83C746EBD0A6B05F2EDD426B64A0
Malicious:	false
Preview:	{"type":"uninstall","id":"c9ccca75-d92c-4a33-b760-9957043a920c","creationDate":"2024-10-28T03:08:08.877Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c9ccca75-d92c-4a33-b760-9957043a920c.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.184726578169337
Encrypted:	false
SSDEEP:	192:9jMX3D0cbhbVbTbfbRbObtbyEl7nYr8JA6WnSrDtTUd/SkDr3:9YIcNhnzFSJ4rPBnSrDhUd/R
MD5:	A3B69BC4E8458AEEFC5034EDB739DB36
SHA1:	85B554F206D878A82CFC1617F4A88F4E8A858821
SHA-256:	D80FA995FBD74BA467D69C5A6840603A80E7CCC82D2A1FB631362DE70A1D4F45
SHA-512:	9907E909FEBB55F79BA0D4DBD4F0E5E7D32A031DB77BF2D728BA12654161CD97D1B252FE7DF0752835CC499E6AF18DE0856A83C746EBD0A6B05F2EDD426B64A0
Malicious:	false
Preview:	{"type":"uninstall","id":"c9ccca75-d92c-4a33-b760-9957043a920c","creationDate":"2024-10-28T03:08:08.877Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.305060000573604
Encrypted:	false
SSDEEP:	48:+P9deK6UgdwZzF69deKK6BdwvFc9deKqadwN1:SKKiqj
MD5:	36F1E34CCD6F257AD40FD52C4AF4B7F8
SHA1:	37DD5F143CFF9D24F808B9553FC08E5DED249472
SHA-256:	F281F43DB27609EB9D7F682600C776E0E351710C5A5D8C4F3C6599F20234D660
SHA-512:	C52F254E378AEC008D50EBC3AFD4012EFEB993538D58475BCB8D4A258301F1AD6CCC2ED3FC917513A0086CCAF734C66D5B68B79B29EB58EA1BEEBA1ECBE90F70
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......Z..T.(..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I\YL.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W\YL.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W\YL...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........%6i......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.305060000573604
Encrypted:	false
SSDEEP:	48:+P9deK6UgdwZzF69deKK6BdwvFc9deKqadwN1:SKKiqj
MD5:	36F1E34CCD6F257AD40FD52C4AF4B7F8
SHA1:	37DD5F143CFF9D24F808B9553FC08E5DED249472
SHA-256:	F281F43DB27609EB9D7F682600C776E0E351710C5A5D8C4F3C6599F20234D660
SHA-512:	C52F254E378AEC008D50EBC3AFD4012EFEB993538D58475BCB8D4A258301F1AD6CCC2ED3FC917513A0086CCAF734C66D5B68B79B29EB58EA1BEEBA1ECBE90F70
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......Z..T.(..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I\YL.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W\YL.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W\YL...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........%6i......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ATMBLVSEP6SKS3NVW5F8.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.305060000573604
Encrypted:	false
SSDEEP:	48:+P9deK6UgdwZzF69deKK6BdwvFc9deKqadwN1:SKKiqj
MD5:	36F1E34CCD6F257AD40FD52C4AF4B7F8
SHA1:	37DD5F143CFF9D24F808B9553FC08E5DED249472
SHA-256:	F281F43DB27609EB9D7F682600C776E0E351710C5A5D8C4F3C6599F20234D660
SHA-512:	C52F254E378AEC008D50EBC3AFD4012EFEB993538D58475BCB8D4A258301F1AD6CCC2ED3FC917513A0086CCAF734C66D5B68B79B29EB58EA1BEEBA1ECBE90F70
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......Z..T.(..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I\YL.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W\YL.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W\YL...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........%6i......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OCOW559X6DP43MX7PGEV.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.305060000573604
Encrypted:	false
SSDEEP:	48:+P9deK6UgdwZzF69deKK6BdwvFc9deKqadwN1:SKKiqj
MD5:	36F1E34CCD6F257AD40FD52C4AF4B7F8
SHA1:	37DD5F143CFF9D24F808B9553FC08E5DED249472
SHA-256:	F281F43DB27609EB9D7F682600C776E0E351710C5A5D8C4F3C6599F20234D660
SHA-512:	C52F254E378AEC008D50EBC3AFD4012EFEB993538D58475BCB8D4A258301F1AD6CCC2ED3FC917513A0086CCAF734C66D5B68B79B29EB58EA1BEEBA1ECBE90F70
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......Z..T.(..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.I\YL.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W\YL.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W\YL...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z...........%6i......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.93083916996561
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLBYkX8P:8S+OBIUjOdwiOdYVjjwLGk8P
MD5:	2E6F86BBF7D37A3D688E5EC0888BCCD3
SHA1:	59C5E3098C9669837A67E536E5E365EA606F5E7E
SHA-256:	A2402AA70BB4696005803C79319D1E1F121376FBC527697461A5DE275C5920B6
SHA-512:	AFB82F86D9F71DF3083763F80D4D0540E86FF2CE242ED2F0BD6A7A31033D9F7A632314903116E7B0AE98B12507F267B236B4A5CF24D526690D5C2E9FB14662E0
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.93083916996561
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLBYkX8P:8S+OBIUjOdwiOdYVjjwLGk8P
MD5:	2E6F86BBF7D37A3D688E5EC0888BCCD3
SHA1:	59C5E3098C9669837A67E536E5E365EA606F5E7E
SHA-256:	A2402AA70BB4696005803C79319D1E1F121376FBC527697461A5DE275C5920B6
SHA-512:	AFB82F86D9F71DF3083763F80D4D0540E86FF2CE242ED2F0BD6A7A31033D9F7A632314903116E7B0AE98B12507F267B236B4A5CF24D526690D5C2E9FB14662E0
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07323501306336999
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiI:DLhesh7Owd4+jiI
MD5:	825B30E00DF89C3C8EA74648C87E1B4C
SHA1:	324C4BB2BFBA40E6F4D258927125679595C18ACF
SHA-256:	CC9DC0BA94BF797FC1F04B49B3F017A84FB874B64ABE3C7D26AA2A535CA72CBC
SHA-512:	CF6050D340C43EC8595767D36E2E8806FBE907AA828CA45E30D8E4F772CFA445226B96C565CFDEDEF0CBAC2234881668E474DF92DC5D50F2DADC81FF47CECC42
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039461165957280435
Encrypted:	false
SSDEEP:	6:G7VevPKH8EDZm7VevPKH8EDZgL9XIwlio:cevS1KevS1+Pi
MD5:	F372A1DECB747FA3EBADB87A1B08DE84
SHA1:	A555F5585A2B01B5C9AE3202F912D751ACC18434
SHA-256:	831E075AF428A611A89219B52CE980F267689876E4140805B3B09F28EAD443FF
SHA-512:	967B811123B4D1317D8703E283884694E12DC55691AD91128E52F3B9C4D2DD7DA642291C8DDA66BC4D53B80499F4885649CAE8725817471D9AAED56AD4C94509
Malicious:	false
Preview:	..-..........................a2.~08...t...<_0....-..........................a2.~08...t...<_0..........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11767138421195485
Encrypted:	false
SSDEEP:	24:KPlcfkhLxsZ+cjxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsaxQwlFHVZ2i7+:tMfQzJtUnWdU+RVxB1Zk
MD5:	E5975F682E12E7A7728B09EE2865433F
SHA1:	9BC4BC6A6E033DC3A60473C3E10F4C2B16599AF2
SHA-256:	8FA8389BD941FDC477F44BD94BF31DD4E746A9B386903CA816A76B0C40C2B7A4
SHA-512:	CF04A4E376F9EAB54D983B641FDD8463EB08B44B60881B1FED9C7651E2CCFDF55E7CDEA7D55646D4775406140BC95CB6416C0DA3F86ABF4686DAD00F486B768F
Malicious:	false
Preview:	7....-..........~08...t...3.V..........~08...t._...M:xF................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.496326995147163
Encrypted:	false
SSDEEP:	192:UnaRtLYbBp66hj4qyaaXv6KKHNeP5RfGNBw8dfSl:pe4qdFtwcwg0
MD5:	A8583D297AF0D509CA1C3CFFC7D34D97
SHA1:	E83F5296DD77D8C807E95DF32BF54EF7DCBD9CC1
SHA-256:	8E3C92DD46CA3CCD2F26600AEC01C360E0D79D8673399E9F150C17E21446A7E8
SHA-512:	E30C0CE6BF3649073369B903A0AAA4654BDFEC3BCF53D203633BAEE076C8512CDD6025D361BFD5D9C50176DBF4259A67A4B7F843D4212217F5D27DDE790ED2B1
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730084859);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730084859);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730084859);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173008

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.496326995147163
Encrypted:	false
SSDEEP:	192:UnaRtLYbBp66hj4qyaaXv6KKHNeP5RfGNBw8dfSl:pe4qdFtwcwg0
MD5:	A8583D297AF0D509CA1C3CFFC7D34D97
SHA1:	E83F5296DD77D8C807E95DF32BF54EF7DCBD9CC1
SHA-256:	8E3C92DD46CA3CCD2F26600AEC01C360E0D79D8673399E9F150C17E21446A7E8
SHA-512:	E30C0CE6BF3649073369B903A0AAA4654BDFEC3BCF53D203633BAEE076C8512CDD6025D361BFD5D9C50176DBF4259A67A4B7F843D4212217F5D27DDE790ED2B1
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730084859);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730084859);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730084859);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173008

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	6.356520342589616
Encrypted:	false
SSDEEP:	24:vkSUGlcAxS7E9LXnIgm/pnxQwRls6Zsp9bGH3j6xiM3FtdL/5QH2oXpTurD/I0DO:cpOx4SGnRTZY9qGxH3F5kpTgwcR4
MD5:	C0CFD660642ACFB5653982B99B7A1DC6
SHA1:	C564561BA44E1DD4C8439F314BEB597FF055E0FB
SHA-256:	6EFA3735A1456790B0C9E0DF550D204AB10C19A5E8A2972240EDD0970A6E0D32
SHA-512:	46D18A16A220D5F2F52CB3D3D6FF0CA70FA5FF0DF03036EFD0268375EE69776A3FFFB893DFD89DE50EEC116B45D802FDE8C08E4590ADF4C44D860ABF20BFF3C8
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{6e2b8f9d-84e7-4a6b-a1bd-3375341b7ddb}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730084878645,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..mUpdate...startTim..P28509...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...44163,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	6.356520342589616
Encrypted:	false
SSDEEP:	24:vkSUGlcAxS7E9LXnIgm/pnxQwRls6Zsp9bGH3j6xiM3FtdL/5QH2oXpTurD/I0DO:cpOx4SGnRTZY9qGxH3F5kpTgwcR4
MD5:	C0CFD660642ACFB5653982B99B7A1DC6
SHA1:	C564561BA44E1DD4C8439F314BEB597FF055E0FB
SHA-256:	6EFA3735A1456790B0C9E0DF550D204AB10C19A5E8A2972240EDD0970A6E0D32
SHA-512:	46D18A16A220D5F2F52CB3D3D6FF0CA70FA5FF0DF03036EFD0268375EE69776A3FFFB893DFD89DE50EEC116B45D802FDE8C08E4590ADF4C44D860ABF20BFF3C8
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{6e2b8f9d-84e7-4a6b-a1bd-3375341b7ddb}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730084878645,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..mUpdate...startTim..P28509...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...44163,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5862 bytes
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	6.356520342589616
Encrypted:	false
SSDEEP:	24:vkSUGlcAxS7E9LXnIgm/pnxQwRls6Zsp9bGH3j6xiM3FtdL/5QH2oXpTurD/I0DO:cpOx4SGnRTZY9qGxH3F5kpTgwcR4
MD5:	C0CFD660642ACFB5653982B99B7A1DC6
SHA1:	C564561BA44E1DD4C8439F314BEB597FF055E0FB
SHA-256:	6EFA3735A1456790B0C9E0DF550D204AB10C19A5E8A2972240EDD0970A6E0D32
SHA-512:	46D18A16A220D5F2F52CB3D3D6FF0CA70FA5FF0DF03036EFD0268375EE69776A3FFFB893DFD89DE50EEC116B45D802FDE8C08E4590ADF4C44D860ABF20BFF3C8
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{6e2b8f9d-84e7-4a6b-a1bd-3375341b7ddb}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730084878645,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1280,"height":1024,"screenX......Y..Aizem..."maximize......BeforeMin...&..workspace:...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zE..1...Wn..m........k..;....1":{..mUpdate...startTim..P28509...centCrash..B0},".....Dcook.. hod..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,a.Donly..fexpiry...44163,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034072205905048
Encrypted:	false
SSDEEP:	48:YrSAY26UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yc2yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	26A9451AB6E439E105C7E48DFB26F805
SHA1:	E7CD9E8B624584DDDB1F64E16ADDCC7106191498
SHA-256:	693C368641B31F6284EFA4726C308B20F406266450E9C6633E3E724D4C9D5BA4
SHA-512:	5AA9DC9E20471D3CB8F72459A22E527A0BD58DD89612FAB3D6F5CCD23AF2E0B9FAA87C8AD469909B86793E81BB9A8690026D99C64538724104ADD943282FBFE4
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-28T03:07:29.777Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.034072205905048
Encrypted:	false
SSDEEP:	48:YrSAY26UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyJW:yc2yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	26A9451AB6E439E105C7E48DFB26F805
SHA1:	E7CD9E8B624584DDDB1F64E16ADDCC7106191498
SHA-256:	693C368641B31F6284EFA4726C308B20F406266450E9C6633E3E724D4C9D5BA4
SHA-512:	5AA9DC9E20471D3CB8F72459A22E527A0BD58DD89612FAB3D6F5CCD23AF2E0B9FAA87C8AD469909B86793E81BB9A8690026D99C64538724104ADD943282FBFE4
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-28T03:07:29.777Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.411137816108237
Encrypted:	false
SSDEEP:	3:YGNDhK6c2us1pNGHfYL2HEYwgL2HEmxhHtifYYMgEYyibudJ8KgfHVEW1:YGNTG/I2XV2fEzLEJ8Kgf1Ew
MD5:	AAC5F6FC2FA4A5691A244B46164834FD
SHA1:	F011E46647F4C402B798C285DE982A6BB9EC73BF
SHA-256:	BE115879DA967E2C1213870515E049801E5950D1179325B99891869A40263BB0
SHA-512:	963486CF702B7623C20123B669F538ADBC51B996E67AB52EDE4635FF05034CA28A3926A98656CB5E8E9BB2C1FBAD338744B312B4673585FD9810AA6E36D343EC
Malicious:	false
Preview:	{"chrome://browser/content/browser.xhtml":{"sidebar-box":{"sidebarcommand":"","style":""},"sidebar-title":{"value":""},"main-window":{"sizemode":"normal"}}}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584697679004007
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	158a88b989303eb0443db400eea08e23
SHA1:	492ee65174fb3e1739c9a117099f80b816575022
SHA256:	18d9e19df2cc995fd5e2f0c0b5f74c79b08c7f6d139f49e46f7cb893e3685950
SHA512:	6464412853d8d7a1a08676d0628d4490105af60d83f719ec4bdf8b22191651dd682528e53a90effb0a3a7e029adf88e9c65ca9b24784cfe3b54b0fd32f8f517a
SSDEEP:	12288:7qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TW:7qDEvCTbMWu7rQYlBQcBiT6rprG8abW
TLSH:	F7159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671EE405 [Mon Oct 28 01:08:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FC144841343h
jmp 00007FC144840C4Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC144840E2Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC144840DFAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FC1448439EDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FC144843A38h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FC144843A21h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	facb3958da18654648fe081ee7bc5cf3	False	0.3156398338607595	data	5.373963109924308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 02:18:27.091418982 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:27.091511011 CET	443	49736	35.190.72.216	192.168.2.4
Oct 28, 2024 02:18:27.092729092 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:27.107374907 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:27.107418060 CET	443	49736	35.190.72.216	192.168.2.4
Oct 28, 2024 02:18:27.746951103 CET	443	49736	35.190.72.216	192.168.2.4
Oct 28, 2024 02:18:27.753555059 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:27.764234066 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:27.764287949 CET	443	49736	35.190.72.216	192.168.2.4
Oct 28, 2024 02:18:27.764391899 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:27.764853001 CET	443	49736	35.190.72.216	192.168.2.4
Oct 28, 2024 02:18:27.765388966 CET	49736	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:29.447279930 CET	49738	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:29.447329998 CET	443	49738	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:29.454597950 CET	49738	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:29.456031084 CET	49738	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:29.456046104 CET	443	49738	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:29.563582897 CET	49739	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:29.563667059 CET	443	49739	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:29.565553904 CET	49740	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:29.566466093 CET	49739	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:29.568713903 CET	49739	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:29.568747997 CET	443	49739	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:29.571099043 CET	80	49740	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:29.582099915 CET	49740	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:29.582285881 CET	49740	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:29.587621927 CET	80	49740	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:29.998364925 CET	49741	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:29.998437881 CET	443	49741	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:29.998873949 CET	49741	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.002940893 CET	49741	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.002974987 CET	443	49741	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.012455940 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.012562037 CET	443	49742	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.012877941 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.014022112 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.014060974 CET	443	49742	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.020060062 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:30.020085096 CET	443	49743	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:30.020804882 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:30.021030903 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:30.021054983 CET	443	49743	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:30.189656019 CET	80	49740	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:30.230660915 CET	49740	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:30.533422947 CET	49744	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:30.538789034 CET	80	49744	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:30.539187908 CET	49745	443	192.168.2.4	34.160.144.191
Oct 28, 2024 02:18:30.539223909 CET	443	49745	34.160.144.191	192.168.2.4
Oct 28, 2024 02:18:30.539324999 CET	49744	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:30.539630890 CET	49744	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:30.544950008 CET	80	49744	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:30.545566082 CET	49745	443	192.168.2.4	34.160.144.191
Oct 28, 2024 02:18:30.545850992 CET	49745	443	192.168.2.4	34.160.144.191
Oct 28, 2024 02:18:30.545866013 CET	443	49745	34.160.144.191	192.168.2.4
Oct 28, 2024 02:18:30.548377037 CET	443	49739	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:30.548571110 CET	443	49738	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:30.548592091 CET	443	49738	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:30.548625946 CET	49739	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:30.549813032 CET	443	49739	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:30.549833059 CET	443	49738	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:30.550362110 CET	49738	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:30.550374031 CET	443	49738	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:30.550375938 CET	49739	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:30.558636904 CET	49739	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:30.558681011 CET	443	49739	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:30.558743954 CET	49739	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:30.559283972 CET	443	49739	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:30.561691046 CET	49738	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:30.561706066 CET	443	49738	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:30.561827898 CET	49738	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:30.562114954 CET	443	49738	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:30.562241077 CET	49747	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:30.562258959 CET	443	49747	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:30.568536043 CET	49739	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:30.568552971 CET	49738	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:30.568615913 CET	49747	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:30.569885015 CET	49747	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:30.569905996 CET	443	49747	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:30.617408037 CET	443	49741	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.626415968 CET	443	49742	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.626502991 CET	49741	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.631892920 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.634815931 CET	49741	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.634833097 CET	443	49741	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.634949923 CET	443	49741	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.634973049 CET	49741	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.634979963 CET	443	49741	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.635437965 CET	49748	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.635453939 CET	443	49748	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.636651039 CET	49741	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.636651039 CET	49748	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.638588905 CET	49748	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.638602018 CET	443	49748	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.640736103 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.640780926 CET	443	49742	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.640873909 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.641156912 CET	49749	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.641216993 CET	443	49749	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.641302109 CET	443	49742	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.641377926 CET	49749	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.643309116 CET	49749	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.643352032 CET	443	49749	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:30.643426895 CET	49742	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:30.666261911 CET	443	49743	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:30.669730902 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:30.672377110 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:30.672389984 CET	443	49743	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:30.672852039 CET	443	49743	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:30.674328089 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:30.674397945 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:30.674510002 CET	443	49743	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:30.685290098 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:30.685317993 CET	49743	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:30.870218039 CET	49747	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:30.870232105 CET	443	49747	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:31.138462067 CET	80	49744	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:31.172465086 CET	443	49745	34.160.144.191	192.168.2.4
Oct 28, 2024 02:18:31.172519922 CET	49745	443	192.168.2.4	34.160.144.191
Oct 28, 2024 02:18:31.175123930 CET	49745	443	192.168.2.4	34.160.144.191
Oct 28, 2024 02:18:31.175132036 CET	443	49745	34.160.144.191	192.168.2.4
Oct 28, 2024 02:18:31.175652027 CET	443	49745	34.160.144.191	192.168.2.4
Oct 28, 2024 02:18:31.177166939 CET	49745	443	192.168.2.4	34.160.144.191
Oct 28, 2024 02:18:31.177261114 CET	49745	443	192.168.2.4	34.160.144.191
Oct 28, 2024 02:18:31.177344084 CET	443	49745	34.160.144.191	192.168.2.4
Oct 28, 2024 02:18:31.177942991 CET	49745	443	192.168.2.4	34.160.144.191
Oct 28, 2024 02:18:31.186531067 CET	49744	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:31.256520033 CET	443	49748	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:31.256624937 CET	49748	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:31.259610891 CET	443	49749	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:31.259728909 CET	49749	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:31.261549950 CET	49748	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:31.261583090 CET	443	49748	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:31.261629105 CET	49748	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:31.261848927 CET	443	49748	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:31.262574911 CET	49748	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:31.263171911 CET	49749	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:31.263189077 CET	443	49749	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:31.263231039 CET	49749	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:31.263326883 CET	443	49749	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:31.263394117 CET	49749	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:31.286691904 CET	49740	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:31.286717892 CET	49744	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:31.292538881 CET	80	49740	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:31.292843103 CET	80	49744	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:31.294157028 CET	49740	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:31.294167042 CET	49744	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:31.427958965 CET	443	49747	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:31.429303885 CET	443	49747	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:31.432766914 CET	49747	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:31.432780981 CET	443	49747	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:31.436961889 CET	49747	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:31.436971903 CET	443	49747	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:31.437087059 CET	49747	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:31.437216997 CET	443	49747	142.250.184.206	192.168.2.4
Oct 28, 2024 02:18:31.437316895 CET	49747	443	192.168.2.4	142.250.184.206
Oct 28, 2024 02:18:31.851558924 CET	49751	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:31.851632118 CET	443	49751	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:31.857124090 CET	49751	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:31.858534098 CET	49751	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:31.858562946 CET	443	49751	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:31.862828016 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:31.869214058 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:31.870099068 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:31.870273113 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:31.877903938 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:32.467422962 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:32.482790947 CET	443	49751	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:32.482886076 CET	49751	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:32.487520933 CET	49751	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:32.487538099 CET	443	49751	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:32.487631083 CET	49751	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:32.488009930 CET	49753	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:32.488038063 CET	443	49753	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:32.488204956 CET	443	49751	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:32.489016056 CET	49751	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:32.489027977 CET	49753	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:32.490361929 CET	49753	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:32.490375996 CET	443	49753	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:32.508378983 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:33.054354906 CET	49754	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:33.152659893 CET	80	49754	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:33.152817965 CET	49754	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:33.162278891 CET	443	49753	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:33.162769079 CET	49753	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:33.167877913 CET	49753	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:33.167884111 CET	443	49753	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:33.167980909 CET	49753	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:33.168427944 CET	443	49753	34.117.188.166	192.168.2.4
Oct 28, 2024 02:18:33.179838896 CET	49753	443	192.168.2.4	34.117.188.166
Oct 28, 2024 02:18:33.311883926 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:33.317780018 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:33.317934036 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:33.318090916 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:33.323508024 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:33.944721937 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:33.997004986 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:34.066081047 CET	49754	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:34.071540117 CET	80	49754	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:34.079989910 CET	49754	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:37.143198013 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:37.148852110 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:37.277612925 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:37.322500944 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:39.253035069 CET	49754	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:39.259006023 CET	80	49754	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:39.259084940 CET	49754	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:41.007033110 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:41.014110088 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:41.142947912 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:41.189634085 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:42.587851048 CET	49763	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:42.587882996 CET	443	49763	34.107.243.93	192.168.2.4
Oct 28, 2024 02:18:42.588270903 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:42.591727018 CET	49763	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:42.593628883 CET	49763	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:42.593646049 CET	443	49763	34.107.243.93	192.168.2.4
Oct 28, 2024 02:18:42.595535994 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:42.715116024 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:42.762965918 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:43.161623001 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:43.167203903 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:43.215014935 CET	443	49763	34.107.243.93	192.168.2.4
Oct 28, 2024 02:18:43.215579033 CET	49763	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:43.220237017 CET	49763	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:43.220246077 CET	443	49763	34.107.243.93	192.168.2.4
Oct 28, 2024 02:18:43.220293999 CET	49763	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:43.220513105 CET	443	49763	34.107.243.93	192.168.2.4
Oct 28, 2024 02:18:43.221103907 CET	49763	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:43.293185949 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:43.349081993 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:43.353346109 CET	49764	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:43.353418112 CET	443	49764	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:43.353821993 CET	49764	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:43.353992939 CET	49764	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:43.354028940 CET	443	49764	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:43.356609106 CET	49765	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:43.356697083 CET	443	49765	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:43.357105017 CET	49765	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:43.358490944 CET	49765	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:43.358539104 CET	443	49765	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:43.373408079 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:43.379308939 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:43.499130011 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:43.549621105 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:43.876672983 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:43.882210970 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:43.906104088 CET	49766	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:43.906188011 CET	443	49766	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:43.906290054 CET	49766	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:43.908206940 CET	49766	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:43.908241987 CET	443	49766	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:43.968267918 CET	443	49764	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:43.968447924 CET	49764	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:43.972716093 CET	49764	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:43.972740889 CET	443	49764	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:43.973146915 CET	443	49764	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:43.974306107 CET	443	49765	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:43.974500895 CET	49765	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:43.979367018 CET	49764	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:43.979484081 CET	49764	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:43.979585886 CET	443	49764	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:43.980020046 CET	49764	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:43.981601954 CET	49765	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:43.981654882 CET	443	49765	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:43.981682062 CET	49765	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:43.981888056 CET	443	49765	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:43.982271910 CET	49765	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.008143902 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:44.044881105 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:44.050281048 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:44.051093102 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:44.099263906 CET	49767	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.099340916 CET	443	49767	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:44.099695921 CET	49767	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.101653099 CET	49767	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.101684093 CET	443	49767	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:44.170139074 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:44.213893890 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:44.522856951 CET	443	49766	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:44.522948027 CET	49766	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:44.717305899 CET	443	49767	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:44.717397928 CET	49767	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.946384907 CET	49766	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:44.946455956 CET	443	49766	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:44.946510077 CET	49766	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:44.946670055 CET	49767	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.946715117 CET	443	49766	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:44.946724892 CET	443	49767	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:44.946758032 CET	49767	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.947015047 CET	443	49767	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:44.947774887 CET	49766	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:44.947789907 CET	49767	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.956955910 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:44.962414980 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:44.975692987 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:44.981185913 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:44.985208035 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.985286951 CET	443	49768	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:44.986895084 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.988806963 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.988842010 CET	443	49768	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:44.990456104 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.990484953 CET	443	49769	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:44.991236925 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.991408110 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.991424084 CET	443	49769	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:44.994247913 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.994271994 CET	443	49770	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:44.994950056 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.995096922 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:44.995132923 CET	443	49770	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:45.088327885 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:45.100625038 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:45.132246017 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:45.154386997 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:45.165210009 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:45.170613050 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:45.297360897 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:45.355014086 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:45.598028898 CET	443	49768	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:45.598120928 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:45.605057001 CET	443	49770	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:45.611331940 CET	443	49770	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:45.612140894 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:45.644551992 CET	443	49769	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:45.644704103 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:46.677160025 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:46.677229881 CET	443	49769	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:46.678152084 CET	443	49769	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:46.680524111 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:46.680560112 CET	443	49770	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:46.680830956 CET	443	49770	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:46.687686920 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:46.687701941 CET	443	49768	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:46.688014984 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:46.688025951 CET	443	49768	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:46.688040972 CET	443	49768	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:46.688146114 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:46.688247919 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:46.688846111 CET	443	49769	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:46.690160036 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:46.690193892 CET	49769	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:46.737019062 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:46.899338007 CET	443	49768	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:46.899420977 CET	49768	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:47.600220919 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:47.600294113 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:47.600478888 CET	443	49770	34.120.208.123	192.168.2.4
Oct 28, 2024 02:18:47.601382017 CET	49770	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:18:47.615631104 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:47.621146917 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:47.741354942 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:47.793459892 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:47.945744038 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:47.951190948 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:48.078214884 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:48.118176937 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:49.443589926 CET	49771	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:49.443675041 CET	443	49771	34.107.243.93	192.168.2.4
Oct 28, 2024 02:18:49.444489002 CET	49771	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:49.446552992 CET	49771	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:49.446589947 CET	443	49771	34.107.243.93	192.168.2.4
Oct 28, 2024 02:18:50.055583954 CET	443	49771	34.107.243.93	192.168.2.4
Oct 28, 2024 02:18:50.055732965 CET	49771	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:50.061647892 CET	49771	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:50.061659098 CET	443	49771	34.107.243.93	192.168.2.4
Oct 28, 2024 02:18:50.061741114 CET	49771	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:50.061805010 CET	443	49771	34.107.243.93	192.168.2.4
Oct 28, 2024 02:18:50.065023899 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:50.065562963 CET	49771	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:18:50.070441008 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:50.193162918 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:50.196868896 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:50.205185890 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:50.240600109 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:50.330950022 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:50.372149944 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:55.819714069 CET	49772	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:55.819749117 CET	443	49772	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:55.824645042 CET	49772	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:55.824645042 CET	49772	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:55.824676991 CET	443	49772	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:55.843064070 CET	49773	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:55.843103886 CET	443	49773	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:55.843780994 CET	49773	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:55.843780994 CET	49773	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:55.843821049 CET	443	49773	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:55.849513054 CET	49774	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:55.849550962 CET	443	49774	35.190.72.216	192.168.2.4
Oct 28, 2024 02:18:55.852489948 CET	49774	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:55.858608007 CET	49774	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:55.858648062 CET	443	49774	35.190.72.216	192.168.2.4
Oct 28, 2024 02:18:55.860619068 CET	49775	443	192.168.2.4	151.101.1.91
Oct 28, 2024 02:18:55.860673904 CET	443	49775	151.101.1.91	192.168.2.4
Oct 28, 2024 02:18:55.867197037 CET	49775	443	192.168.2.4	151.101.1.91
Oct 28, 2024 02:18:55.873105049 CET	49776	443	192.168.2.4	35.201.103.21
Oct 28, 2024 02:18:55.873105049 CET	49775	443	192.168.2.4	151.101.1.91
Oct 28, 2024 02:18:55.873117924 CET	443	49776	35.201.103.21	192.168.2.4
Oct 28, 2024 02:18:55.873140097 CET	443	49775	151.101.1.91	192.168.2.4
Oct 28, 2024 02:18:55.874361992 CET	49776	443	192.168.2.4	35.201.103.21
Oct 28, 2024 02:18:55.875171900 CET	49776	443	192.168.2.4	35.201.103.21
Oct 28, 2024 02:18:55.875184059 CET	443	49776	35.201.103.21	192.168.2.4
Oct 28, 2024 02:18:56.432172060 CET	443	49772	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:56.432378054 CET	49772	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:56.435944080 CET	49772	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:56.435956955 CET	443	49772	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:56.436192036 CET	443	49772	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:56.438174009 CET	49772	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:56.438296080 CET	49772	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:56.442576885 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:56.447918892 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:56.487493992 CET	443	49773	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:56.487588882 CET	49773	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:56.491353035 CET	49773	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:56.491364002 CET	443	49773	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:56.491684914 CET	443	49773	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:56.493412018 CET	49773	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:56.493596077 CET	443	49773	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:56.493628979 CET	49773	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:56.493635893 CET	443	49773	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:56.494679928 CET	49773	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:56.494987011 CET	443	49775	151.101.1.91	192.168.2.4
Oct 28, 2024 02:18:56.495008945 CET	443	49775	151.101.1.91	192.168.2.4
Oct 28, 2024 02:18:56.495145082 CET	49775	443	192.168.2.4	151.101.1.91
Oct 28, 2024 02:18:56.496167898 CET	443	49774	35.190.72.216	192.168.2.4
Oct 28, 2024 02:18:56.496471882 CET	49774	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:56.497980118 CET	49775	443	192.168.2.4	151.101.1.91
Oct 28, 2024 02:18:56.497991085 CET	443	49775	151.101.1.91	192.168.2.4
Oct 28, 2024 02:18:56.498342991 CET	443	49775	151.101.1.91	192.168.2.4
Oct 28, 2024 02:18:56.499738932 CET	443	49776	35.201.103.21	192.168.2.4
Oct 28, 2024 02:18:56.499881983 CET	49776	443	192.168.2.4	35.201.103.21
Oct 28, 2024 02:18:56.504329920 CET	49775	443	192.168.2.4	151.101.1.91
Oct 28, 2024 02:18:56.504414082 CET	49775	443	192.168.2.4	151.101.1.91
Oct 28, 2024 02:18:56.504597902 CET	443	49775	151.101.1.91	192.168.2.4
Oct 28, 2024 02:18:56.504890919 CET	49775	443	192.168.2.4	151.101.1.91
Oct 28, 2024 02:18:56.506179094 CET	49774	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:56.506186008 CET	443	49774	35.190.72.216	192.168.2.4
Oct 28, 2024 02:18:56.506237030 CET	49774	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:56.506346941 CET	443	49774	35.190.72.216	192.168.2.4
Oct 28, 2024 02:18:56.506799936 CET	49776	443	192.168.2.4	35.201.103.21
Oct 28, 2024 02:18:56.506803989 CET	443	49776	35.201.103.21	192.168.2.4
Oct 28, 2024 02:18:56.506854057 CET	49776	443	192.168.2.4	35.201.103.21
Oct 28, 2024 02:18:56.507062912 CET	443	49776	35.201.103.21	192.168.2.4
Oct 28, 2024 02:18:56.511888027 CET	49774	443	192.168.2.4	35.190.72.216
Oct 28, 2024 02:18:56.511904001 CET	49776	443	192.168.2.4	35.201.103.21
Oct 28, 2024 02:18:56.512531996 CET	49777	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:56.512556076 CET	443	49777	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:56.512878895 CET	49777	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:56.513019085 CET	49777	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:56.513031960 CET	443	49777	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:56.515197039 CET	49778	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:56.515243053 CET	443	49778	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:56.515882015 CET	49778	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:56.515979052 CET	49778	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:56.515995026 CET	443	49778	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:56.518142939 CET	49779	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:56.518151045 CET	443	49779	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:56.518776894 CET	49779	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:56.518899918 CET	49779	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:56.518910885 CET	443	49779	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:56.524437904 CET	49780	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:56.524458885 CET	443	49780	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:56.524581909 CET	49780	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:56.524665117 CET	49780	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:56.524679899 CET	443	49780	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:56.567306995 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:56.569972992 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:56.575340986 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:56.620791912 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:56.701260090 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:56.752475977 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:57.112303019 CET	443	49777	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:57.112545967 CET	49777	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.115417004 CET	49777	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.115422964 CET	443	49777	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:57.115740061 CET	443	49777	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:57.117736101 CET	49777	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.117831945 CET	49777	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.117912054 CET	443	49777	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:57.121917963 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:57.122250080 CET	49777	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.319669008 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:57.321814060 CET	443	49780	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:57.321854115 CET	443	49779	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:57.321883917 CET	49780	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:57.322223902 CET	49779	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.324795008 CET	49780	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:57.324807882 CET	443	49780	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:57.325050116 CET	443	49780	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:57.326929092 CET	49779	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.326935053 CET	443	49779	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:57.327168941 CET	443	49779	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:57.327426910 CET	443	49778	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:57.328290939 CET	49778	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.330473900 CET	49778	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.330498934 CET	443	49778	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:57.330904007 CET	443	49778	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:57.331712008 CET	49780	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:57.331793070 CET	49780	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:57.331866026 CET	443	49780	34.149.100.209	192.168.2.4
Oct 28, 2024 02:18:57.332067013 CET	49779	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.332117081 CET	49779	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.332197905 CET	443	49779	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:57.333188057 CET	49780	443	192.168.2.4	34.149.100.209
Oct 28, 2024 02:18:57.333201885 CET	49779	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.334466934 CET	49778	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.334527969 CET	49778	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.334661007 CET	443	49778	35.244.181.201	192.168.2.4
Oct 28, 2024 02:18:57.337290049 CET	49778	443	192.168.2.4	35.244.181.201
Oct 28, 2024 02:18:57.439691067 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:57.442723989 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:57.448149920 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:57.492136002 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:18:57.573813915 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:18:57.623697996 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:00.067014933 CET	49782	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:00.067095995 CET	443	49782	34.107.243.93	192.168.2.4
Oct 28, 2024 02:19:00.067234993 CET	49782	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:00.068456888 CET	49782	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:00.068490028 CET	443	49782	34.107.243.93	192.168.2.4
Oct 28, 2024 02:19:00.668454885 CET	443	49782	34.107.243.93	192.168.2.4
Oct 28, 2024 02:19:00.668579102 CET	49782	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:00.674626112 CET	49782	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:00.674654961 CET	443	49782	34.107.243.93	192.168.2.4
Oct 28, 2024 02:19:00.674762964 CET	49782	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:00.674869061 CET	443	49782	34.107.243.93	192.168.2.4
Oct 28, 2024 02:19:00.676150084 CET	49782	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:00.677839041 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:00.683383942 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:00.803102016 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:00.809011936 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:00.814410925 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:00.848750114 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:00.940428972 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:01.002516985 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:10.818134069 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:10.949636936 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:11.425313950 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:11.425344944 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:11.442419052 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:11.447757006 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:11.568356991 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:11.571090937 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:11.576462030 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:11.620390892 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:11.702282906 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:11.751961946 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:21.022006035 CET	49805	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:21.022087097 CET	443	49805	34.107.243.93	192.168.2.4
Oct 28, 2024 02:19:21.022198915 CET	49805	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:21.023461103 CET	49805	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:21.023530006 CET	443	49805	34.107.243.93	192.168.2.4
Oct 28, 2024 02:19:21.579824924 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:21.585445881 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:21.648968935 CET	443	49805	34.107.243.93	192.168.2.4
Oct 28, 2024 02:19:21.649169922 CET	49805	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:21.654500961 CET	49805	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:21.654529095 CET	443	49805	34.107.243.93	192.168.2.4
Oct 28, 2024 02:19:21.654594898 CET	49805	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:21.654930115 CET	443	49805	34.107.243.93	192.168.2.4
Oct 28, 2024 02:19:21.654990911 CET	49805	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:19:21.657094955 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:21.662452936 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:21.711412907 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:21.716967106 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:21.781843901 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:21.784805059 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:21.790203094 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:21.833364964 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:21.916026115 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:21.964909077 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:25.794460058 CET	49831	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:25.794472933 CET	49832	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:25.794517994 CET	443	49832	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:25.794543028 CET	443	49831	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:25.794599056 CET	49833	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:25.794680119 CET	443	49833	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:25.794934988 CET	49832	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:25.794958115 CET	49833	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:25.794965982 CET	49831	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:25.795109034 CET	49832	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:25.795123100 CET	443	49832	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:25.795356035 CET	49833	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:25.795387030 CET	443	49833	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:25.795443058 CET	49831	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:25.795470953 CET	443	49831	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:26.404090881 CET	443	49833	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:26.404275894 CET	49833	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.407727003 CET	49833	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.407759905 CET	443	49833	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:26.408159018 CET	443	49833	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:26.410372019 CET	49833	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.410490036 CET	49833	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.410547018 CET	443	49833	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:26.410947084 CET	443	49831	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:26.414110899 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:26.414915085 CET	49833	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.415069103 CET	443	49832	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:26.415101051 CET	49831	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.418179989 CET	49831	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.418232918 CET	443	49831	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:26.418327093 CET	49832	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.418955088 CET	443	49831	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:26.420030117 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:26.420484066 CET	49832	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.420501947 CET	443	49832	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:26.420818090 CET	443	49832	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:26.423578978 CET	49831	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.423680067 CET	49831	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.423965931 CET	443	49831	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:26.424127102 CET	49832	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.424197912 CET	49832	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.424290895 CET	443	49832	34.120.208.123	192.168.2.4
Oct 28, 2024 02:19:26.424330950 CET	49831	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.424427032 CET	49832	443	192.168.2.4	34.120.208.123
Oct 28, 2024 02:19:26.539937019 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:26.543704987 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:26.549818039 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:26.589179993 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:26.674926996 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:26.727366924 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:36.554886103 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:36.560285091 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:36.686605930 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:36.691936970 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:46.561789036 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:46.567193985 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:46.699974060 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:46.706346035 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:56.575238943 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:56.580643892 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:19:56.713351011 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:19:56.718683004 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:02.172492981 CET	50034	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:20:02.172523022 CET	443	50034	34.107.243.93	192.168.2.4
Oct 28, 2024 02:20:02.172719002 CET	50034	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:20:02.174201012 CET	50034	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:20:02.174213886 CET	443	50034	34.107.243.93	192.168.2.4
Oct 28, 2024 02:20:02.818909883 CET	443	50034	34.107.243.93	192.168.2.4
Oct 28, 2024 02:20:02.818981886 CET	50034	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:20:02.825159073 CET	50034	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:20:02.825167894 CET	443	50034	34.107.243.93	192.168.2.4
Oct 28, 2024 02:20:02.825261116 CET	50034	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:20:02.825443029 CET	443	50034	34.107.243.93	192.168.2.4
Oct 28, 2024 02:20:02.825581074 CET	50034	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:20:02.828007936 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:02.833311081 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:02.952857018 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:02.956254005 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:02.962673903 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:03.008223057 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:03.087656975 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:03.130667925 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:12.958302021 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:12.964005947 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:13.089934111 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:13.095453978 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:22.964767933 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:22.970249891 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:23.102933884 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:23.108481884 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:32.977890015 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:32.983669043 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:33.115958929 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:33.121540070 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:42.990883112 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:42.996458054 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:43.122462034 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:43.127985954 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:53.002794981 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:53.008394957 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:20:53.134355068 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:20:53.139811039 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:21:03.015889883 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:21:03.021513939 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:21:03.147669077 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:21:03.153243065 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:21:13.028582096 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:21:13.034097910 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:21:13.160506964 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:21:13.165941000 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:21:23.036180019 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:21:23.041611910 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:21:23.190030098 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:21:23.196065903 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:21:23.627214909 CET	50055	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:21:23.627300978 CET	443	50055	34.107.243.93	192.168.2.4
Oct 28, 2024 02:21:23.627908945 CET	50055	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:21:23.629287004 CET	50055	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:21:23.629338026 CET	443	50055	34.107.243.93	192.168.2.4
Oct 28, 2024 02:21:24.278053045 CET	443	50055	34.107.243.93	192.168.2.4
Oct 28, 2024 02:21:24.287378073 CET	443	50055	34.107.243.93	192.168.2.4
Oct 28, 2024 02:21:24.297573090 CET	50055	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:21:24.302666903 CET	50055	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:21:24.302717924 CET	443	50055	34.107.243.93	192.168.2.4
Oct 28, 2024 02:21:24.303426027 CET	443	50055	34.107.243.93	192.168.2.4
Oct 28, 2024 02:21:24.303997993 CET	50055	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:21:24.304052114 CET	443	50055	34.107.243.93	192.168.2.4
Oct 28, 2024 02:21:24.305608034 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:21:24.310975075 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:21:24.318015099 CET	50055	443	192.168.2.4	34.107.243.93
Oct 28, 2024 02:21:24.430455923 CET	80	49752	34.107.221.82	192.168.2.4
Oct 28, 2024 02:21:24.434818983 CET	49755	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:21:24.440455914 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:21:24.479120970 CET	49752	80	192.168.2.4	34.107.221.82
Oct 28, 2024 02:21:24.566904068 CET	80	49755	34.107.221.82	192.168.2.4
Oct 28, 2024 02:21:24.619976044 CET	49755	80	192.168.2.4	34.107.221.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2024 02:18:27.092638969 CET	51647	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:27.100264072 CET	53	51647	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:27.148118019 CET	56984	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:27.155925035 CET	53	56984	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:29.439013004 CET	63616	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:29.445327044 CET	51437	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:29.446330070 CET	53	63616	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:29.447663069 CET	54935	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:29.454816103 CET	53	54935	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:29.458277941 CET	54003	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:29.459212065 CET	65414	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:29.465401888 CET	53	54003	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:29.468318939 CET	53	65414	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:29.468657017 CET	53434	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:29.476867914 CET	53	53434	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:29.987163067 CET	54129	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:29.995096922 CET	53	54129	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:29.999043941 CET	54381	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:30.002677917 CET	56040	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:30.006567001 CET	53	54381	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:30.010163069 CET	53	56040	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:30.011791945 CET	62127	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:30.012545109 CET	56130	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:30.019104958 CET	53	62127	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:30.020365000 CET	53	56130	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:30.020680904 CET	60367	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:30.021461964 CET	51869	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:30.028027058 CET	53	60367	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:30.029613972 CET	53	51869	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:30.030626059 CET	61491	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:30.037754059 CET	53	61491	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:30.337388039 CET	53584	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:30.338044882 CET	63304	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:30.344540119 CET	63566	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:30.346242905 CET	53015	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:30.529608965 CET	53	63304	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:30.529839993 CET	53	53015	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:30.529860973 CET	53	53584	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:30.542649984 CET	52525	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:30.551016092 CET	53	52525	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:30.565473080 CET	57922	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:30.573465109 CET	53	57922	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:36.611571074 CET	56950	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:36.619538069 CET	53	56950	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:36.621016026 CET	63604	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:36.628932953 CET	53	63604	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:36.630090952 CET	61091	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:36.638145924 CET	53	61091	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:40.943782091 CET	61416	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:40.972446918 CET	53	61326	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:41.405497074 CET	55681	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:41.412781000 CET	53	55681	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:41.413999081 CET	62911	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:41.421125889 CET	53	62911	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:41.421643972 CET	60305	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:41.429541111 CET	53	60305	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:42.587910891 CET	49501	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:42.589051008 CET	59793	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:42.599224091 CET	53	59793	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:43.339975119 CET	62671	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:43.347754002 CET	53	62671	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:43.357031107 CET	56071	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:43.364197969 CET	53	56071	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:43.370434999 CET	63823	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:43.381334066 CET	53	63823	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:43.894093037 CET	64372	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:43.901870012 CET	53	64372	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:43.906588078 CET	51061	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:43.914375067 CET	53	51061	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:43.915707111 CET	58004	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:43.922991991 CET	53	58004	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:49.343377113 CET	60827	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:49.350951910 CET	53	60827	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:49.987711906 CET	59272	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:49.987824917 CET	64012	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:49.988146067 CET	55457	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:49.995277882 CET	53	59272	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:49.995368958 CET	53	64012	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:49.995944977 CET	53	55457	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:49.996227026 CET	65036	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:49.996314049 CET	58319	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:49.996995926 CET	58278	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:50.003659010 CET	53	65036	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:50.003997087 CET	53	58319	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:50.006561995 CET	55221	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:50.006669998 CET	55598	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:50.010746002 CET	53	58278	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:50.011234045 CET	52024	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:50.014048100 CET	53	55598	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:50.014082909 CET	53	55221	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:50.014664888 CET	62824	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:50.015016079 CET	52897	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:50.019058943 CET	53	52024	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:50.021848917 CET	53	62824	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:50.022047043 CET	53	52897	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:50.022573948 CET	58635	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:50.022751093 CET	63862	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:50.029752016 CET	53	58635	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:50.031028986 CET	53	63862	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:50.031996012 CET	53386	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:50.032121897 CET	58517	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:50.039458036 CET	53	53386	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:50.039701939 CET	53	58517	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:55.819719076 CET	62055	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:55.827800035 CET	53	62055	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:55.842951059 CET	50493	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:55.850895882 CET	53	50493	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:55.852487087 CET	51601	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:55.855377913 CET	65116	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:55.860382080 CET	53	51601	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:55.863441944 CET	53	65116	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:55.867197990 CET	50575	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:55.867621899 CET	63196	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:55.875128984 CET	53	50575	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:55.875159025 CET	53	63196	1.1.1.1	192.168.2.4
Oct 28, 2024 02:18:55.884736061 CET	57073	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:18:55.892676115 CET	53	57073	1.1.1.1	192.168.2.4
Oct 28, 2024 02:19:00.066354990 CET	49495	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:19:00.074044943 CET	53	49495	1.1.1.1	192.168.2.4
Oct 28, 2024 02:19:00.075011015 CET	51231	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:19:00.082314968 CET	53	51231	1.1.1.1	192.168.2.4
Oct 28, 2024 02:19:21.013071060 CET	64082	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:19:21.020828009 CET	53	64082	1.1.1.1	192.168.2.4
Oct 28, 2024 02:19:21.021568060 CET	56159	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:19:21.028742075 CET	53	56159	1.1.1.1	192.168.2.4
Oct 28, 2024 02:19:25.753961086 CET	54590	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:19:25.761200905 CET	53	54590	1.1.1.1	192.168.2.4
Oct 28, 2024 02:20:02.164278984 CET	65318	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:20:02.171591997 CET	53	65318	1.1.1.1	192.168.2.4
Oct 28, 2024 02:20:02.172494888 CET	53585	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:20:02.179826975 CET	53	53585	1.1.1.1	192.168.2.4
Oct 28, 2024 02:20:02.828201056 CET	61120	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:21:23.581188917 CET	52324	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:21:23.588628054 CET	53	52324	1.1.1.1	192.168.2.4
Oct 28, 2024 02:21:23.590768099 CET	49465	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:21:23.598225117 CET	53	49465	1.1.1.1	192.168.2.4
Oct 28, 2024 02:21:23.623579025 CET	49465	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:21:23.623975992 CET	52076	53	192.168.2.4	1.1.1.1
Oct 28, 2024 02:21:23.630852938 CET	53	49465	1.1.1.1	192.168.2.4
Oct 28, 2024 02:21:23.631858110 CET	53	52076	1.1.1.1	192.168.2.4
Oct 28, 2024 02:21:24.306407928 CET	54448	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 28, 2024 02:18:27.092638969 CET	192.168.2.4	1.1.1.1	0x31bd	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:27.148118019 CET	192.168.2.4	1.1.1.1	0x2d3c	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 02:18:29.439013004 CET	192.168.2.4	1.1.1.1	0xfa8b	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:29.445327044 CET	192.168.2.4	1.1.1.1	0x3d25	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:29.447663069 CET	192.168.2.4	1.1.1.1	0x90b1	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:29.458277941 CET	192.168.2.4	1.1.1.1	0xac76	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:29.459212065 CET	192.168.2.4	1.1.1.1	0xbe0d	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 28, 2024 02:18:29.468657017 CET	192.168.2.4	1.1.1.1	0xfc53	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 02:18:29.987163067 CET	192.168.2.4	1.1.1.1	0x6e5e	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:29.999043941 CET	192.168.2.4	1.1.1.1	0xae7e	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.002677917 CET	192.168.2.4	1.1.1.1	0x22ae	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.011791945 CET	192.168.2.4	1.1.1.1	0x9c7	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 02:18:30.012545109 CET	192.168.2.4	1.1.1.1	0x71df	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.020680904 CET	192.168.2.4	1.1.1.1	0xd052	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.021461964 CET	192.168.2.4	1.1.1.1	0x5d27	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 02:18:30.030626059 CET	192.168.2.4	1.1.1.1	0x9d35	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 02:18:30.337388039 CET	192.168.2.4	1.1.1.1	0x660e	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.338044882 CET	192.168.2.4	1.1.1.1	0xdafd	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.344540119 CET	192.168.2.4	1.1.1.1	0x5ce5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.346242905 CET	192.168.2.4	1.1.1.1	0xd529	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.542649984 CET	192.168.2.4	1.1.1.1	0xa3f7	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.565473080 CET	192.168.2.4	1.1.1.1	0xcd60	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 02:18:36.611571074 CET	192.168.2.4	1.1.1.1	0x9986	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:36.621016026 CET	192.168.2.4	1.1.1.1	0xd96	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:36.630090952 CET	192.168.2.4	1.1.1.1	0x603c	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 02:18:40.943782091 CET	192.168.2.4	1.1.1.1	0xab34	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:41.405497074 CET	192.168.2.4	1.1.1.1	0x5d25	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:41.413999081 CET	192.168.2.4	1.1.1.1	0xd0b1	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:41.421643972 CET	192.168.2.4	1.1.1.1	0xc3ad	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 02:18:42.587910891 CET	192.168.2.4	1.1.1.1	0x6a5b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:42.589051008 CET	192.168.2.4	1.1.1.1	0xf3aa	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:43.339975119 CET	192.168.2.4	1.1.1.1	0x2602	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 02:18:43.357031107 CET	192.168.2.4	1.1.1.1	0x7425	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:43.370434999 CET	192.168.2.4	1.1.1.1	0xc3a8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 02:18:43.894093037 CET	192.168.2.4	1.1.1.1	0x173b	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:43.906588078 CET	192.168.2.4	1.1.1.1	0xe043	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:43.915707111 CET	192.168.2.4	1.1.1.1	0x391c	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 02:18:49.343377113 CET	192.168.2.4	1.1.1.1	0x986f	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 02:18:49.987711906 CET	192.168.2.4	1.1.1.1	0xd304	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.987824917 CET	192.168.2.4	1.1.1.1	0xe0f2	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.988146067 CET	192.168.2.4	1.1.1.1	0xca24	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.996227026 CET	192.168.2.4	1.1.1.1	0x90d9	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.996314049 CET	192.168.2.4	1.1.1.1	0x51e5	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.996995926 CET	192.168.2.4	1.1.1.1	0xa26d	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.006561995 CET	192.168.2.4	1.1.1.1	0x77b0	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 28, 2024 02:18:50.006669998 CET	192.168.2.4	1.1.1.1	0x3f61	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 28, 2024 02:18:50.011234045 CET	192.168.2.4	1.1.1.1	0xdeb3	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 28, 2024 02:18:50.014664888 CET	192.168.2.4	1.1.1.1	0x80a1	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.015016079 CET	192.168.2.4	1.1.1.1	0x1e85	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.022573948 CET	192.168.2.4	1.1.1.1	0xee12	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.022751093 CET	192.168.2.4	1.1.1.1	0xf83	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.031996012 CET	192.168.2.4	1.1.1.1	0x548a	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 28, 2024 02:18:50.032121897 CET	192.168.2.4	1.1.1.1	0x7652	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 28, 2024 02:18:55.819719076 CET	192.168.2.4	1.1.1.1	0x928	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 28, 2024 02:18:55.842951059 CET	192.168.2.4	1.1.1.1	0x42a8	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.852487087 CET	192.168.2.4	1.1.1.1	0xa009	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.855377913 CET	192.168.2.4	1.1.1.1	0xab34	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.867197990 CET	192.168.2.4	1.1.1.1	0x3f16	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.867621899 CET	192.168.2.4	1.1.1.1	0xb5b8	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 28, 2024 02:18:55.884736061 CET	192.168.2.4	1.1.1.1	0x5b5f	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 02:19:00.066354990 CET	192.168.2.4	1.1.1.1	0xfbac	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:19:00.075011015 CET	192.168.2.4	1.1.1.1	0xb138	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 02:19:21.013071060 CET	192.168.2.4	1.1.1.1	0xc2ae	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:19:21.021568060 CET	192.168.2.4	1.1.1.1	0x9093	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 02:19:25.753961086 CET	192.168.2.4	1.1.1.1	0x656f	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 02:20:02.164278984 CET	192.168.2.4	1.1.1.1	0xfdfc	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:20:02.172494888 CET	192.168.2.4	1.1.1.1	0x20c2	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 02:20:02.828201056 CET	192.168.2.4	1.1.1.1	0x9856	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:21:23.581188917 CET	192.168.2.4	1.1.1.1	0x5b9d	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:21:23.590768099 CET	192.168.2.4	1.1.1.1	0x13c1	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:21:23.623579025 CET	192.168.2.4	1.1.1.1	0x13c1	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:21:23.623975992 CET	192.168.2.4	1.1.1.1	0x2796	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 28, 2024 02:21:24.306407928 CET	192.168.2.4	1.1.1.1	0xd1f7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 28, 2024 02:18:27.053087950 CET	1.1.1.1	192.168.2.4	0xd74b	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:27.100264072 CET	1.1.1.1	192.168.2.4	0x31bd	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:29.446330070 CET	1.1.1.1	192.168.2.4	0xfa8b	No error (0)	youtube.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:29.453136921 CET	1.1.1.1	192.168.2.4	0x3d25	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:29.453136921 CET	1.1.1.1	192.168.2.4	0x3d25	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:29.454816103 CET	1.1.1.1	192.168.2.4	0x90b1	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:29.465401888 CET	1.1.1.1	192.168.2.4	0xac76	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:29.468318939 CET	1.1.1.1	192.168.2.4	0xbe0d	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 28, 2024 02:18:29.476867914 CET	1.1.1.1	192.168.2.4	0xfc53	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 28, 2024 02:18:29.995096922 CET	1.1.1.1	192.168.2.4	0x6e5e	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.006567001 CET	1.1.1.1	192.168.2.4	0xae7e	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.010163069 CET	1.1.1.1	192.168.2.4	0x22ae	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:30.010163069 CET	1.1.1.1	192.168.2.4	0x22ae	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.014919043 CET	1.1.1.1	192.168.2.4	0x62e9	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:30.014919043 CET	1.1.1.1	192.168.2.4	0x62e9	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.020365000 CET	1.1.1.1	192.168.2.4	0x71df	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.028027058 CET	1.1.1.1	192.168.2.4	0xd052	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.529608965 CET	1.1.1.1	192.168.2.4	0xdafd	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.529608965 CET	1.1.1.1	192.168.2.4	0xdafd	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.529655933 CET	1.1.1.1	192.168.2.4	0x5ce5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:30.529655933 CET	1.1.1.1	192.168.2.4	0x5ce5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.529839993 CET	1.1.1.1	192.168.2.4	0xd529	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:30.529839993 CET	1.1.1.1	192.168.2.4	0xd529	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:30.529839993 CET	1.1.1.1	192.168.2.4	0xd529	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.529860973 CET	1.1.1.1	192.168.2.4	0x660e	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.551016092 CET	1.1.1.1	192.168.2.4	0xa3f7	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:30.573465109 CET	1.1.1.1	192.168.2.4	0xcd60	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 28, 2024 02:18:36.619538069 CET	1.1.1.1	192.168.2.4	0x9986	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:36.619538069 CET	1.1.1.1	192.168.2.4	0x9986	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:36.619538069 CET	1.1.1.1	192.168.2.4	0x9986	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:36.628932953 CET	1.1.1.1	192.168.2.4	0xd96	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:40.951793909 CET	1.1.1.1	192.168.2.4	0xab34	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:41.412781000 CET	1.1.1.1	192.168.2.4	0x5d25	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:41.421125889 CET	1.1.1.1	192.168.2.4	0xd0b1	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:42.598432064 CET	1.1.1.1	192.168.2.4	0x6a5b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:42.598432064 CET	1.1.1.1	192.168.2.4	0x6a5b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:42.599224091 CET	1.1.1.1	192.168.2.4	0xf3aa	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:43.346697092 CET	1.1.1.1	192.168.2.4	0xe638	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:43.346697092 CET	1.1.1.1	192.168.2.4	0xe638	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:43.351380110 CET	1.1.1.1	192.168.2.4	0x7bf3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:43.364197969 CET	1.1.1.1	192.168.2.4	0x7425	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:43.901870012 CET	1.1.1.1	192.168.2.4	0x173b	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:43.901870012 CET	1.1.1.1	192.168.2.4	0x173b	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:43.914375067 CET	1.1.1.1	192.168.2.4	0xe043	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:44.095021009 CET	1.1.1.1	192.168.2.4	0x15a3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		142.250.74.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995277882 CET	1.1.1.1	192.168.2.4	0xd304	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995368958 CET	1.1.1.1	192.168.2.4	0xe0f2	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995368958 CET	1.1.1.1	192.168.2.4	0xe0f2	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995944977 CET	1.1.1.1	192.168.2.4	0xca24	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:49.995944977 CET	1.1.1.1	192.168.2.4	0xca24	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003659010 CET	1.1.1.1	192.168.2.4	0x90d9	No error (0)	star-mini.c10r.facebook.com		157.240.0.35	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		172.217.16.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.003997087 CET	1.1.1.1	192.168.2.4	0x51e5	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.010746002 CET	1.1.1.1	192.168.2.4	0xa26d	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.014048100 CET	1.1.1.1	192.168.2.4	0x3f61	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 02:18:50.014048100 CET	1.1.1.1	192.168.2.4	0x3f61	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 02:18:50.014048100 CET	1.1.1.1	192.168.2.4	0x3f61	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 02:18:50.014048100 CET	1.1.1.1	192.168.2.4	0x3f61	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 28, 2024 02:18:50.014082909 CET	1.1.1.1	192.168.2.4	0x77b0	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 28, 2024 02:18:50.019058943 CET	1.1.1.1	192.168.2.4	0xdeb3	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 28, 2024 02:18:50.021848917 CET	1.1.1.1	192.168.2.4	0x80a1	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:50.021848917 CET	1.1.1.1	192.168.2.4	0x80a1	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.021848917 CET	1.1.1.1	192.168.2.4	0x80a1	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.021848917 CET	1.1.1.1	192.168.2.4	0x80a1	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.021848917 CET	1.1.1.1	192.168.2.4	0x80a1	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.022047043 CET	1.1.1.1	192.168.2.4	0x1e85	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.029752016 CET	1.1.1.1	192.168.2.4	0xee12	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.031028986 CET	1.1.1.1	192.168.2.4	0xf83	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.031028986 CET	1.1.1.1	192.168.2.4	0xf83	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.031028986 CET	1.1.1.1	192.168.2.4	0xf83	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:50.031028986 CET	1.1.1.1	192.168.2.4	0xf83	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.850895882 CET	1.1.1.1	192.168.2.4	0x42a8	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.850895882 CET	1.1.1.1	192.168.2.4	0x42a8	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.850895882 CET	1.1.1.1	192.168.2.4	0x42a8	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.850895882 CET	1.1.1.1	192.168.2.4	0x42a8	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.860382080 CET	1.1.1.1	192.168.2.4	0xa009	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:55.860382080 CET	1.1.1.1	192.168.2.4	0xa009	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.863441944 CET	1.1.1.1	192.168.2.4	0xab34	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.863441944 CET	1.1.1.1	192.168.2.4	0xab34	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.863441944 CET	1.1.1.1	192.168.2.4	0xab34	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.863441944 CET	1.1.1.1	192.168.2.4	0xab34	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:55.875128984 CET	1.1.1.1	192.168.2.4	0x3f16	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:18:57.349270105 CET	1.1.1.1	192.168.2.4	0xb6f7	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:18:57.349270105 CET	1.1.1.1	192.168.2.4	0xb6f7	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:19:00.074044943 CET	1.1.1.1	192.168.2.4	0xfbac	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:19:21.020828009 CET	1.1.1.1	192.168.2.4	0xc2ae	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:19:25.760802031 CET	1.1.1.1	192.168.2.4	0x475	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:20:02.171591997 CET	1.1.1.1	192.168.2.4	0xfdfc	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:20:02.835391045 CET	1.1.1.1	192.168.2.4	0x9856	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:20:02.835391045 CET	1.1.1.1	192.168.2.4	0x9856	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:21:23.588628054 CET	1.1.1.1	192.168.2.4	0x5b9d	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:21:23.598225117 CET	1.1.1.1	192.168.2.4	0x13c1	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:21:23.630852938 CET	1.1.1.1	192.168.2.4	0x13c1	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 28, 2024 02:21:24.313587904 CET	1.1.1.1	192.168.2.4	0xd1f7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 28, 2024 02:21:24.313587904 CET	1.1.1.1	192.168.2.4	0xd1f7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	7712	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 02:18:29.582285881 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:18:30.189656019 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36825 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	34.107.221.82	80	7712	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 02:18:30.539630890 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:18:31.138462067 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50844 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49752	34.107.221.82	80	7712	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 02:18:31.870273113 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:18:32.467422962 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36827 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:18:37.143198013 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:18:37.277612925 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36832 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:18:42.588270903 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:18:42.715116024 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36837 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:18:43.373408079 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:18:43.499130011 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36838 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:18:44.044881105 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:18:44.170139074 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36839 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:18:44.975692987 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:18:45.100625038 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36840 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:18:47.615631104 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:18:47.741354942 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36842 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:18:50.065023899 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:18:50.193162918 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36845 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:18:56.442576885 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:18:56.567306995 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36851 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:18:57.121917963 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:18:57.439691067 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36852 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:19:00.677839041 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:19:00.803102016 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36855 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:19:10.818134069 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:19:11.442419052 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:19:11.568356991 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36866 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:19:21.579824924 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:19:21.657094955 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:19:21.781843901 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36876 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:19:26.414110899 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:19:26.539937019 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36881 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:19:36.554886103 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:19:46.561789036 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:19:56.575238943 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:20:02.828007936 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:20:02.952857018 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36917 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 28, 2024 02:20:12.958302021 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:20:22.964767933 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:20:32.977890015 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:20:42.990883112 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:20:53.002794981 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:21:24.305608034 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 28, 2024 02:21:24.430455923 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 27 Oct 2024 15:04:45 GMT Age: 36999 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49755	34.107.221.82	80	7712	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 28, 2024 02:18:33.318090916 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:18:33.944721937 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50846 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:18:41.007033110 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:18:41.142947912 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50854 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:18:43.161623001 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:18:43.293185949 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50856 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:18:43.876672983 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:18:44.008143902 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50856 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:18:44.956955910 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:18:45.088327885 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50858 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:18:45.165210009 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:18:45.297360897 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50858 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:18:47.945744038 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:18:48.078214884 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50861 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:18:50.196868896 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:18:50.330950022 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50863 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:18:56.569972992 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:18:56.701260090 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50869 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:18:57.442723989 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:18:57.573813915 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50870 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:19:00.809011936 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:19:00.940428972 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50873 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:19:10.949636936 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:19:11.571090937 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:19:11.702282906 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50884 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:19:21.711412907 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:19:21.784805059 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:19:21.916026115 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50894 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:19:26.543704987 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:19:26.674926996 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50899 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:19:36.686605930 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:19:46.699974060 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:19:56.713351011 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:20:02.956254005 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:20:03.087656975 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 50936 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 28, 2024 02:20:13.089934111 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:20:23.102933884 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:20:33.115958929 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:20:43.122462034 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:20:53.134355068 CET	6	OUT	Data Raw: 00 Data Ascii:
Oct 28, 2024 02:21:24.434818983 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 28, 2024 02:21:24.566904068 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 27 Oct 2024 11:11:07 GMT Age: 51017 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	21:18:20
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x510000
File size:	919'552 bytes
MD5 hash:	158A88B989303EB0443DB400EEA08E23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1749194237.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1749451115.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:18:20
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:18:20
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:18:22
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:18:22
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:18:22
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:18:22
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:18:22
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:18:22
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x800000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:18:23
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xd0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:18:23
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:18:23
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:18:23
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:18:23
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	21:18:24
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4545e727-0c1a-4468-96bf-5b74738a9406} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 2410036fd10 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	21:18:26
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3572 -parentBuildID 20230927232528 -prefsHandle 4496 -prefMapHandle 4492 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11f93443-0807-4a81-8b55-bb39ff0fc5bb} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 24110c63e10 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	21:18:42
Start date:	27/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b805f6f-7f96-4d47-a250-29f74ce1fae6} 7712 "\\.\pipe\gecko-crash-server-pipe.7712" 24100371b10 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	1583
Total number of Limit Nodes:	56

Executed Functions

Function 005142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0051430D

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

GetCurrentProcess.KERNEL32(?,005ACB64,00000000,?,?), ref: 00514422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00514429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00514454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00514466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00514474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0051447B
GetSystemInfo.KERNEL32(?,?,?), ref: 005144A0

Strings

|O, xrefs: 005536F8
kernel32.dll, xrefs: 0051444F
GetNativeSystemInfo, xrefs: 00514460

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9c8305d5dcf685a4b0f12ecb36f2286912806a6685b9f5acf30200da6524060d
Instruction ID: ac8a0bbb934b3f79df29d2195ded40d43c13280d5240523b76426081269d0183
Opcode Fuzzy Hash: 9c8305d5dcf685a4b0f12ecb36f2286912806a6685b9f5acf30200da6524060d
Instruction Fuzzy Hash: 7FA1E47190AAC0CFDB19C7697CC01D97FA57B3E780B285C99D4C59BA22D2704A4CEB39

Function 005142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005150AA,?,?,00000000,00000000), ref: 005142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005150AA,?,?,00000000,00000000), ref: 005142C9
LoadResource.KERNEL32(?,00000000,?,?,005150AA,?,?,00000000,00000000,?,?,?,?,?,?,00514F20), ref: 005535BE
SizeofResource.KERNEL32(?,00000000,?,?,005150AA,?,?,00000000,00000000,?,?,?,?,?,?,00514F20), ref: 005535D3
LockResource.KERNEL32(005150AA,?,?,005150AA,?,?,00000000,00000000,?,?,?,?,?,?,00514F20,?), ref: 005535E6

Strings

SCRIPT, xrefs: 005142BF

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 48154616b0d3bdbeceac9f668d8d361e85e1801ac70b02415dabd46cd6e3cbc2
Instruction ID: e5e0dc8853f89fc7c25ddc1ad19a9260f9aa9c733a047f7e9c79c4dffda4c798
Opcode Fuzzy Hash: 48154616b0d3bdbeceac9f668d8d361e85e1801ac70b02415dabd46cd6e3cbc2
Instruction Fuzzy Hash: B6117C78200701BFE7218B65DC48F677FBAFFD6B51F108169B41296250DB71D8449A20

Function 00552BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00512B6B

Part of subcall function 00513A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005E1418,?,00512E7F,?,?,?,00000000), ref: 00513A78

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,005D2224), ref: 00552C10
ShellExecuteW.SHELL32(00000000,?,?,005D2224), ref: 00552C17

Strings

runas, xrefs: 00552C0B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 49a78bd8dfd4f7d67803ca02ab566bcddb0a5423d608a0b6cc5200ef0ed917e9
Instruction ID: f702cb7e64c365209b1356b3a388479cdc678667a0ed7ac8af206a66260bd42c
Opcode Fuzzy Hash: 49a78bd8dfd4f7d67803ca02ab566bcddb0a5423d608a0b6cc5200ef0ed917e9
Instruction Fuzzy Hash: C411E7311083426AEB14FF20D8699FD7FA4BFE1351F04082EF182421A2CF318AC9D712

Function 0057D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0057D501
Process32FirstW.KERNEL32(00000000,?), ref: 0057D50F
Process32NextW.KERNEL32(00000000,?), ref: 0057D52F
CloseHandle.KERNELBASE(00000000), ref: 0057D5DC

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 48295adde6f564ff33f5dd67e6fe03865055bdf0c57b277dc5e1292b29985055
Instruction ID: 0cbd07d4ea5bc414d7b2edae0afe1046bfdd6431b579897f7af5bc7426a4cc97
Opcode Fuzzy Hash: 48295adde6f564ff33f5dd67e6fe03865055bdf0c57b277dc5e1292b29985055
Instruction Fuzzy Hash: 2D318D71108301AFD301EF54D885AAFBFF8BFD9344F10492DF585821A1EB719988DBA2

Function 0057DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00555222), ref: 0057DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0057DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0057DBEE
FindClose.KERNEL32(00000000), ref: 0057DBFA

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d667dd7003aae2d823655a1aedfb75caaccad058711674bbbda24ed44d2af4e7
Instruction ID: f0e16c42470e8858e4035df2d2e7cfdca5165d8050b9322c8c5084dd2548bc3d
Opcode Fuzzy Hash: d667dd7003aae2d823655a1aedfb75caaccad058711674bbbda24ed44d2af4e7
Instruction Fuzzy Hash: 36F0A0308109105783216B78AC0D8AA3FBCAF42334B108702F87AC20E0EBB05D58EAA5

Function 00534CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005428E9,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002,00000000,?,005428E9), ref: 00534D09
TerminateProcess.KERNEL32(00000000,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002,00000000,?,005428E9), ref: 00534D10
ExitProcess.KERNEL32 ref: 00534D22

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 82bd4bc6b819be00dd79d5582f8343fdd539c6cf3c8a409646c44832efbf5928
Instruction ID: ecd0645cbbe328e136bc984cf64a200a30c7cdb28f7f02806e61409061b09998
Opcode Fuzzy Hash: 82bd4bc6b819be00dd79d5582f8343fdd539c6cf3c8a409646c44832efbf5928
Instruction Fuzzy Hash: 2FE0B631000149ABCF11AF54DD09A593F69FB92785F104814FC059A132CB35ED46DE80

Function 0051BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#^, xrefs: 005607CE

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#^
API String ID: 3964851224-2580200144
Opcode ID: 7dd490e0c8edbb3dddce27cb520b6bcb7073bcd442c33e188c322816136524ea
Instruction ID: 180d47d191b079c4de38bfffd8ad49dc2cea871e64a4e535c356fef6e14eddb3
Opcode Fuzzy Hash: 7dd490e0c8edbb3dddce27cb520b6bcb7073bcd442c33e188c322816136524ea
Instruction Fuzzy Hash: 0DA26B706083419FD714DF18C484B6ABFE1BF89304F14896DE89A9B392D772EC85CB92

Function 0059AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0059B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0059B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0059B1D4
_wcslen.LIBCMT ref: 0059B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0059B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0059B236
_wcslen.LIBCMT ref: 0059B332

Part of subcall function 005805A7: GetStdHandle.KERNEL32(000000F6), ref: 005805C6

_wcslen.LIBCMT ref: 0059B34B
_wcslen.LIBCMT ref: 0059B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0059B3B6
GetLastError.KERNEL32(00000000), ref: 0059B407
CloseHandle.KERNEL32(?), ref: 0059B439
CloseHandle.KERNEL32(00000000), ref: 0059B44A
CloseHandle.KERNEL32(00000000), ref: 0059B45C
CloseHandle.KERNEL32(00000000), ref: 0059B46E
CloseHandle.KERNEL32(?), ref: 0059B4E3

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 0b706b2a19a7e54609a7850193680910caea8f92db3ea7e1b13ba4e475b714b5
Instruction ID: 22fa9e0d10ca38dedbe654ad8102f7799fe74ffb57dea26696b9a8f2fa066a33
Opcode Fuzzy Hash: 0b706b2a19a7e54609a7850193680910caea8f92db3ea7e1b13ba4e475b714b5
Instruction Fuzzy Hash: 20F189316043019FEB14EF24D999B6ABFE5BF85310F14895DF8899B2A2DB31EC44CB52

Function 0051D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0051D807
timeGetTime.WINMM ref: 0051DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051DB28
TranslateMessage.USER32(?), ref: 0051DB7B
DispatchMessageW.USER32(?), ref: 0051DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051DB9F
Sleep.KERNELBASE(0000000A), ref: 0051DBB1

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 176867f16ce7f37b8c0371c1b5fc6cdafdbdf558ea362d9fc6ffc227b7685206
Instruction ID: fd57dc7d5e94747b1b16466e0e835fa13b7976316c91f25d005dd059956decd9
Opcode Fuzzy Hash: 176867f16ce7f37b8c0371c1b5fc6cdafdbdf558ea362d9fc6ffc227b7685206
Instruction Fuzzy Hash: EE42C5706087429FE728CF24C888BAABFF4BF95304F14495DE4958B291D774E884DFA2

Function 00512CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00512D07
RegisterClassExW.USER32(00000030), ref: 00512D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00512D42
InitCommonControlsEx.COMCTL32(?), ref: 00512D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00512D6F
LoadIconW.USER32(000000A9), ref: 00512D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00512D94

Strings

+, xrefs: 00512CF0
TaskbarCreated, xrefs: 00512D37
AutoIt v3 GUI, xrefs: 00512D23
0, xrefs: 00512CE9

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 05a03a51e42841c1cd0665a3e8ae9cb0c71c7fa4468e5983488920ca7cf30ad6
Instruction ID: f143d0c6b0c80f3b561a8e98a00846a8f3dcc9a9066f4841c4aa78f998568ed5
Opcode Fuzzy Hash: 05a03a51e42841c1cd0665a3e8ae9cb0c71c7fa4468e5983488920ca7cf30ad6
Instruction Fuzzy Hash: F021E3B5901258AFDB00DFA4E889BDDBFB4FB19700F00811AF551EA2A0D7B50548EFA4

Function 0055065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0055039A: CreateFileW.KERNELBASE(00000000,00000000,?,00550704,?,?,00000000,?,00550704,00000000,0000000C), ref: 005503B7

GetLastError.KERNEL32 ref: 0055076F
__dosmaperr.LIBCMT ref: 00550776
GetFileType.KERNELBASE(00000000), ref: 00550782
GetLastError.KERNEL32 ref: 0055078C
__dosmaperr.LIBCMT ref: 00550795
CloseHandle.KERNEL32(00000000), ref: 005507B5
CloseHandle.KERNEL32(?), ref: 005508FF
GetLastError.KERNEL32 ref: 00550931
__dosmaperr.LIBCMT ref: 00550938

Strings

H, xrefs: 005508BD

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d391549f42ad372cd4da605374c614e6c34598012bd20f1ceba67b5255ef5fab
Instruction ID: 86c9dab704b1307408f9815d7b70e31a8ce6c6967f8c5cd898817c4fe478aa28
Opcode Fuzzy Hash: d391549f42ad372cd4da605374c614e6c34598012bd20f1ceba67b5255ef5fab
Instruction Fuzzy Hash: 7DA14636A101058FDF19AF68DCA5BAE3FA0FB46321F14115AFC119F2D1DB31981ADB91

Function 0051344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00513A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005E1418,?,00512E7F,?,?,?,00000000), ref: 00513A78

Part of subcall function 00513357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00513379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0051356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0055318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005531CE
RegCloseKey.ADVAPI32(?), ref: 00553210
_wcslen.LIBCMT ref: 00553277
_wcslen.LIBCMT ref: 00553286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00513560
\Include\, xrefs: 00513527
Include, xrefs: 00553184, 005531C5
\, xrefs: 0055328C

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 59ba445b5f2aeb59a8a8ecd0324b3528bd4cf2b228c2e376edbf35032a3dc23b
Instruction ID: 92f4a2eb1b32ecace75e30f4bbb629a098089ed271d80905e5beff44e7be68d5
Opcode Fuzzy Hash: 59ba445b5f2aeb59a8a8ecd0324b3528bd4cf2b228c2e376edbf35032a3dc23b
Instruction Fuzzy Hash: 23716D714043419ED318DF65DC969ABBFE8BF99740F40082EF585871A4EB709A88DF61

Function 00512B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00512B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00512B9D
LoadIconW.USER32(00000063), ref: 00512BB3
LoadIconW.USER32(000000A4), ref: 00512BC5
LoadIconW.USER32(000000A2), ref: 00512BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00512BEF
RegisterClassExW.USER32(?), ref: 00512C40

Part of subcall function 00512CD4: GetSysColorBrush.USER32(0000000F), ref: 00512D07
Part of subcall function 00512CD4: RegisterClassExW.USER32(00000030), ref: 00512D31
Part of subcall function 00512CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00512D42
Part of subcall function 00512CD4: InitCommonControlsEx.COMCTL32(?), ref: 00512D5F
Part of subcall function 00512CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00512D6F
Part of subcall function 00512CD4: LoadIconW.USER32(000000A9), ref: 00512D85
Part of subcall function 00512CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00512D94

Strings

AutoIt v3, xrefs: 00512C2F
0, xrefs: 00512C0F
#, xrefs: 00512C16

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c8c7ba3d9ffbf7dad13689c7b0c4d9a9b61d5d69ee38b5dec210e6b8c6c1a51e
Instruction ID: ab420cb404ae0d20ee839d5fdab40278d11b92ac88542dcbe3edf1425b223d21
Opcode Fuzzy Hash: c8c7ba3d9ffbf7dad13689c7b0c4d9a9b61d5d69ee38b5dec210e6b8c6c1a51e
Instruction Fuzzy Hash: 90216A70E00358AFDB149FA5EC89AAD7FF4FB1CB50F00041AE580AA7A0D3B10548EF88

Function 00513170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0051316A,?,?), ref: 005131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0051316A,?,?), ref: 00513204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00513227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0051316A,?,?), ref: 00513232
CreatePopupMenu.USER32 ref: 00513246
PostQuitMessage.USER32(00000000), ref: 00513267

Strings

TaskbarCreated, xrefs: 0051322D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 50daae57c2c84d453a3c3aba6bdf7661dea9d7be9e4876375b55130b2d6c7345
Instruction ID: 2ab847bb1c256f8f2e4315ca530101497210aa3205ea15995f18b23dfea5c71b
Opcode Fuzzy Hash: 50daae57c2c84d453a3c3aba6bdf7661dea9d7be9e4876375b55130b2d6c7345
Instruction Fuzzy Hash: E7414939240644B7FB186B78DC7DBFD3E59F756340F04052AF9528A1A1CB708AC8E7A5

Function 00511410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00511459
CoUninitialize.COMBASE ref: 005114F8
UnregisterHotKey.USER32(?), ref: 005116DD
DestroyWindow.USER32(?), ref: 005524B9
FreeLibrary.KERNEL32(?), ref: 0055251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0055254B

Strings

close all, xrefs: 00511454

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 4c7284e9177615424abd33aea7964d3098e44775fd7943789c732cef821113a9
Instruction ID: 6868d8ac1e200b6f10c86dff4f2ce615e05f25ca166e739ad64f0d328634d7ee
Opcode Fuzzy Hash: 4c7284e9177615424abd33aea7964d3098e44775fd7943789c732cef821113a9
Instruction Fuzzy Hash: 4AD1BD31701622CFEB19EF14D4A8A69FFA4BF46700F1441EEE94A6B252DB30AC56CF54

Function 00512C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00512C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00512CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00511CAD,?), ref: 00512CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00511CAD,?), ref: 00512CCF

Strings

edit, xrefs: 00512CAC
AutoIt v3, xrefs: 00512C89, 00512C8E, 00512C8F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 89165a7c98567d1cc41c631086db311e900b2983ca30c5ee3e8e3083fefe8e11
Instruction ID: b78191da6a19a4070b5bd1660b6506e9f4f27e897899a2873503c4c8845f81f5
Opcode Fuzzy Hash: 89165a7c98567d1cc41c631086db311e900b2983ca30c5ee3e8e3083fefe8e11
Instruction Fuzzy Hash: 1FF03A755402D07EEB300713AC88E773EBDE7EBF50B00045EF940AA5A0C6711848EAB8

Function 00513B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00513B0F,SwapMouseButtons,00000004,?), ref: 00513B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00513B0F,SwapMouseButtons,00000004,?), ref: 00513B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00513B0F,SwapMouseButtons,00000004,?), ref: 00513B83

Strings

Control Panel\Mouse, xrefs: 00513B3E

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 319631d09ed959d626de6772052e70475460ae4af12e77f925a05db88f3ffe56
Instruction ID: 09d53879e9682ef28836425b54e2f20288d6eab53c977c5ae174cfe8191ab0fe
Opcode Fuzzy Hash: 319631d09ed959d626de6772052e70475460ae4af12e77f925a05db88f3ffe56
Instruction Fuzzy Hash: 35112AB5514208FFEB208FA5DC58AEFBBB8FF05744B104859A805D7110E2319E84A760

Function 00513923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005533A2

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00513A04

Strings

Line: , xrefs: 005533EB

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 47bd41e12cc419c588fbe870e997675488a2467051a2eb6f987f2f57f525150a
Instruction ID: 37012539bff7429e0e1a0e8109a5fc8a43f79459d6da61c8ef5df5daa4e78fbd
Opcode Fuzzy Hash: 47bd41e12cc419c588fbe870e997675488a2467051a2eb6f987f2f57f525150a
Instruction Fuzzy Hash: 2431E271408301AAE325EB20DC59BEBBFD8BF94710F100D2AF59993091EB709688C7C6

Function 00512DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00552C8C

Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2

Part of subcall function 00512DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00512DC4

Strings

`e], xrefs: 00552C85
X, xrefs: 00552C5A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e]
API String ID: 779396738-2761306869
Opcode ID: 233d51a63626955e37975bd671959e772abcd52637bf02909dccb5e526c68677
Instruction ID: 6c7f1b1fc690e06ec670124cc7bb6c773e2ca169bf0c90e93474dc7d2e786c83
Opcode Fuzzy Hash: 233d51a63626955e37975bd671959e772abcd52637bf02909dccb5e526c68677
Instruction Fuzzy Hash: 64218171A002589BDB41DF98D849BEE7FF8BF89305F00405AE405A7241DBB45A898F61

Function 0052FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00530668

Part of subcall function 005332A4: RaiseException.KERNEL32(?,?,?,0053068A,?,005E1444,?,?,?,?,?,?,0053068A,00511129,005D8738,00511129), ref: 00533304

__CxxThrowException@8.LIBVCRUNTIME ref: 00530685

Strings

Unknown exception, xrefs: 00530692

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: c71999923d2a1515696546d23750eedc3b54cedce785c4248cf2589d742347fa
Instruction ID: 330f89fbd2b33b6d71b1ab31fef8c90d072caeb2ce816210f737f1f86866d3d9
Opcode Fuzzy Hash: c71999923d2a1515696546d23750eedc3b54cedce785c4248cf2589d742347fa
Instruction Fuzzy Hash: DEF0C23490030E77CF00B6A8E85AC9E7F7CBE81310F604532B824D65D5EF71EA65CA80

Function 005110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00511BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00511BF4
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00511BFC
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00511C07
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00511C12
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00511C1A
Part of subcall function 00511BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00511C22

Part of subcall function 00511B4A: RegisterWindowMessageW.USER32(00000004,?,005112C4), ref: 00511BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0051136A
OleInitialize.OLE32 ref: 00511388
CloseHandle.KERNEL32(00000000,00000000), ref: 005524AB

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: d9f1934d5bc0c945d4157bae68404e77a2955491e444033d96acdde581ce522f
Instruction ID: a2c1be7d9bad3e72d67d319451dd2cef8a1051d32bf9687fd9b9a2537118ac49
Opcode Fuzzy Hash: d9f1934d5bc0c945d4157bae68404e77a2955491e444033d96acdde581ce522f
Instruction Fuzzy Hash: 8F71C1B5905B818ED78CDF79A9C56993EE0FBA9340744416BD08ACF3A1EB304488EF4D

Function 0057C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00513923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00513A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0057C259
KillTimer.USER32(?,00000001,?,?), ref: 0057C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0057C270

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 84e430f0ea7d7c3f3f44777c474e6665588b1047e38d15e98f6fc299fc65fdcc
Instruction ID: 8268c38520dea522e2ad6d0c6ea99744c00fa1bb3e7c6e7c4814fcfdb04259e6
Opcode Fuzzy Hash: 84e430f0ea7d7c3f3f44777c474e6665588b1047e38d15e98f6fc299fc65fdcc
Instruction Fuzzy Hash: 9C31C574904744AFEB22CF64A895BEBBFECAB17304F00449DD2DE97242C7745A88DB51

Function 005486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,005485CC,?,005D8CC8,0000000C), ref: 00548704
GetLastError.KERNEL32(?,005485CC,?,005D8CC8,0000000C), ref: 0054870E
__dosmaperr.LIBCMT ref: 00548739

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 13746a9286d7fc3804120b1d10a8ee9d0988eada42a7bdc636fafadc96d8caf8
Instruction ID: ca96c30c1691fcba0cd7422c8e6215f49d8d2d32e340fa7d64285d3245ada209
Opcode Fuzzy Hash: 13746a9286d7fc3804120b1d10a8ee9d0988eada42a7bdc636fafadc96d8caf8
Instruction Fuzzy Hash: E0018E33A0426027D6A56B346889BFE2F59BBE277CF3A0519F8148B1D3EEB1CC819150

Function 0051DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0051DB7B
DispatchMessageW.USER32(?), ref: 0051DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0051DB9F
Sleep.KERNELBASE(0000000A), ref: 0051DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00561CC9

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 63e18fd78ce78f31ea2fdcd4028c3206ac68d47b68e7d8c617a6442931273816
Instruction ID: b04c57b5133ee7231b73540fc7dc41ed18e125d81c195027c2f3adf0a976cd47
Opcode Fuzzy Hash: 63e18fd78ce78f31ea2fdcd4028c3206ac68d47b68e7d8c617a6442931273816
Instruction Fuzzy Hash: DBF05E306483809BFB34CB608C89FEA7BBCFB95310F104918E64A830C0DB30A488DB29

Function 00521310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005217F6

Strings

CALL, xrefs: 005217C6

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 9aa9c627c0e30c51fe95d81123e822f8cad44c652a0d19d8a0e93417bfadfe1f
Instruction ID: 6634c6f1f2c92b9a7d328588e81a4e2057efe7602474ce4a2ff8a8cee2b1219c
Opcode Fuzzy Hash: 9aa9c627c0e30c51fe95d81123e822f8cad44c652a0d19d8a0e93417bfadfe1f
Instruction Fuzzy Hash: 9422AB706086529FC714DF14E484A2BBFF1BFA6314F18896DF4868B3A2D731E845CB86

Function 00513837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00513908

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 733028056f64d79adee4306f92ca461db6d2bdca87065f33659f66aaa9822bdc
Instruction ID: a3104f05ad26b2e79550cb6a0e322f9f8e9617fb0eba3216efbd6ecfaa37af3a
Opcode Fuzzy Hash: 733028056f64d79adee4306f92ca461db6d2bdca87065f33659f66aaa9822bdc
Instruction Fuzzy Hash: 3D319C705057019FE720DF24D8947DBBFE8FB59708F00092EF99997240E771AA88DB56

Function 0052F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0052F661

Part of subcall function 0051D730: GetInputState.USER32 ref: 0051D807

Sleep.KERNEL32(00000000), ref: 0056F2DE

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 12a6b3d7e8acf3c36911949548642d6e51b677f8cb7934a2198f02dd5cec6bf1
Instruction ID: f6e850105bc36d4462306ecb572e2ca58b7f35d57296f5311e41e76973719d37
Opcode Fuzzy Hash: 12a6b3d7e8acf3c36911949548642d6e51b677f8cb7934a2198f02dd5cec6bf1
Instruction Fuzzy Hash: 0CF082312402169FE310EF65E449B9ABFF5FF96760F000029E859C72A0EB70A840CF90

Function 00539141 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00544CDA: DeleteCriticalSection.KERNEL32(?,?,?,?,?,005D8BE8,00000010,0053914E), ref: 00544D3C
Part of subcall function 00544CDA: _free.LIBCMT ref: 00544D4A

Part of subcall function 00544D7A: _free.LIBCMT ref: 00544D9C

DeleteCriticalSection.KERNEL32(-00000020), ref: 0053916A
_free.LIBCMT ref: 0053917E

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$CriticalDeleteSection
String ID:
API String ID: 1906768660-0
Opcode ID: da7ba2fb0cd321abb9cb5bf2034b1df6ccceb4e7ef82467be91efd9eeb3cb557
Instruction ID: 23b4227f49f28c5096c4a324655b8651faffd4550ae509d258c4b53196324264
Opcode Fuzzy Hash: da7ba2fb0cd321abb9cb5bf2034b1df6ccceb4e7ef82467be91efd9eeb3cb557
Instruction Fuzzy Hash: 91E0D833C20450C7C7256BACFC896AD3BA8FB99318F091516F44457161CB616C859A44

Function 00514ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00514E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E9C
Part of subcall function 00514E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00514EAE
Part of subcall function 00514E90: FreeLibrary.KERNEL32(00000000,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EFD

Part of subcall function 00514E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E62
Part of subcall function 00514E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00514E74
Part of subcall function 00514E59: FreeLibrary.KERNEL32(00000000,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E87

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 7194d4866a79915ef8ec09aabf73dce4a15e9113ac754805e5119d69ab1afc96
Instruction ID: 48b0312ac32c550c80d4d31d0f05ca6639ee46fab9d83a75a2a14cdf16941df8
Opcode Fuzzy Hash: 7194d4866a79915ef8ec09aabf73dce4a15e9113ac754805e5119d69ab1afc96
Instruction Fuzzy Hash: 7111C431600206AAEF15AB60D81AFED7FA5BFC0711F10442AF542AA2D1EE719E85DB50

Function 00548402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00548440

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 9d59626c12810cbc246622456b8a193d956298b931b56eeeb23c261f8471b7f1
Instruction ID: 618b61f8fe42da43e59964d0c08dde0c02aa4591aef5de213732375e3dde6d57
Opcode Fuzzy Hash: 9d59626c12810cbc246622456b8a193d956298b931b56eeeb23c261f8471b7f1
Instruction Fuzzy Hash: 5311257590410AAFCF09DF58E9449EE7BF8FF48308F144059F808AB352DA30DA118BA4

Function 00545000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00544C7D: RtlAllocateHeap.NTDLL(00000008,00511129,00000000,?,00542E29,00000001,00000364,?,?,?,0053F2DE,00543863,005E1444,?,0052FDF5,?), ref: 00544CBE

_free.LIBCMT ref: 0054506C

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 655a31e7387c1f28a70501aabde92791eb52eb4d5a70654cf98b1306b346947d
Instruction ID: faf7293bcd45e29fdd4cd395ffc8697be0ccd866822b4e37b3ecc14e7bffd585
Opcode Fuzzy Hash: 655a31e7387c1f28a70501aabde92791eb52eb4d5a70654cf98b1306b346947d
Instruction Fuzzy Hash: 090126762047056BE3218E659889ADAFFE9FB89374F65051DE18883281EA30A805C6B4

Function 0053E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6648c02b6181a3054024c9e46e369ee253c9ce1af06010b8a4fd45ee0b60682
Instruction ID: 6c5e10eb16971aa7c5077b82ff950d0662c1c295916054eef83bed6e1020f663
Opcode Fuzzy Hash: b6648c02b6181a3054024c9e46e369ee253c9ce1af06010b8a4fd45ee0b60682
Instruction Fuzzy Hash: 57F02D32510A1597D7313A65AC0FB9B3FE8BFD2339F100719F424931D1CB70D80186A5

Function 00544C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00511129,00000000,?,00542E29,00000001,00000364,?,?,?,0053F2DE,00543863,005E1444,?,0052FDF5,?), ref: 00544CBE

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b9e1522ed38326f20b62199e8f248f0d4790d6e57c2baea3e7d318970a886a16
Instruction ID: 4659401197991350d627ea968523f16c841bb239aadb1ac43c86834c658446de
Opcode Fuzzy Hash: b9e1522ed38326f20b62199e8f248f0d4790d6e57c2baea3e7d318970a886a16
Instruction Fuzzy Hash: 52F0E93168222567DB215F72AC8DBDB3F98BF917A9F1C4121BC15AA281CA30DC009EE0

Function 00543820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1fc77640f5bb0d2085960ab3dbfc0d280e7bce6a13504e8330d23459534c25dc
Instruction ID: 2f5f05b9be6bcdeb8d9d0c5cea27efbf4dca003c3cd192af6aa530af4a067f40
Opcode Fuzzy Hash: 1fc77640f5bb0d2085960ab3dbfc0d280e7bce6a13504e8330d23459534c25dc
Instruction Fuzzy Hash: F9E02B3110322596D7312A779C04BDBBF49BF927B8F050030BC14965B0DB21ED019AE1

Function 00514F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514F6D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 481e248888786dab5058cd4ea2bf296aa52614f0619bda266c4ebcc99ac3f866
Instruction ID: 2c9151721821c03295ce8f418c1f18d359c46c982612447c3d2c6a9ce3916412
Opcode Fuzzy Hash: 481e248888786dab5058cd4ea2bf296aa52614f0619bda266c4ebcc99ac3f866
Instruction Fuzzy Hash: B4F01571105792CFEB349F64E4948A2BFE4BF15329324997EE1EA86721C7319889DF10

Function 005A2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005A2A66

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: f5a5ce2487b24e0711a4b4f9e999c03bd242d5e58d26657475bc8d3cb6fd7a9e
Instruction ID: 3b6dae236ee1baa2f905901f1685248ec44deaee45dc9ab563c0c579abfe236a
Opcode Fuzzy Hash: f5a5ce2487b24e0711a4b4f9e999c03bd242d5e58d26657475bc8d3cb6fd7a9e
Instruction Fuzzy Hash: 9CE0DF32340116AEC710EA34EC859FE7F4CFB91390B004836AC2AD2100DB308985A6B0

Function 005130F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0051314E

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 87b0ec55f3cdf01ecdcbf0170f025b3bd1782a08a607d2e5f2d50353eb9ae2f5
Instruction ID: 2e44d64593e3ac06e3c001d16dcfa6b478f94b00ec6f1aa0d4b352e3687bc47e
Opcode Fuzzy Hash: 87b0ec55f3cdf01ecdcbf0170f025b3bd1782a08a607d2e5f2d50353eb9ae2f5
Instruction Fuzzy Hash: D2F0A7709003449FEB52DB24DC897D97FBCB705708F0000E5A18896181DB7047CCCF55

Function 00512DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00512DC4

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 1caff749c3c295e75cceea02674f4a6ab957183f92078c586c7744f08f545cca
Instruction ID: af6bb60d88b20b4a14c9e3f61be18ee2463dd605261ee7774c41c0eb110563f5
Opcode Fuzzy Hash: 1caff749c3c295e75cceea02674f4a6ab957183f92078c586c7744f08f545cca
Instruction Fuzzy Hash: B9E0CD766041245BC71092589C09FEA7BDDEFC8790F050071FD09D7248DA60AD848550

Function 00512B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00513837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00513908

Part of subcall function 0051D730: GetInputState.USER32 ref: 0051D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00512B6B

Part of subcall function 005130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0051314E

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: be89c227c4e0883328b459421ed61efdf47b788cea86a10d855fd3cb58fd9110
Instruction ID: 9e774b8ef3a567c51a5a47a9b086c4ec7cdf331ecb298829a5f51daef80eac61
Opcode Fuzzy Hash: be89c227c4e0883328b459421ed61efdf47b788cea86a10d855fd3cb58fd9110
Instruction Fuzzy Hash: D3E0863130424617EB08BB75A86A5EDBF99BBE5351F40153EF182472A2CF658AC98352

Function 0055039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00550704,?,?,00000000,?,00550704,00000000,0000000C), ref: 005503B7

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 54f1aac22010cd729c72b798458b2d50dd5650f05d8a71586cfef900dec2cc58
Instruction ID: e3fdca1bd9b971a046894b3aa3ac286079517264a556a7e70bb7ea0c106ed27b
Opcode Fuzzy Hash: 54f1aac22010cd729c72b798458b2d50dd5650f05d8a71586cfef900dec2cc58
Instruction Fuzzy Hash: 8AD06C3214010DBBDF028F84DD06EDA3FAAFB48714F014000BE1856020C736E821EB90

Function 00511CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00511CBC

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 47ad4b8e05770eede9ba130daf9b36dba2778459329f13e8e9734d64e9f979a1
Instruction ID: c4d423dec8d936809a059062ce4fa6cb68b61af6229407aa99593c5eb325b763
Opcode Fuzzy Hash: 47ad4b8e05770eede9ba130daf9b36dba2778459329f13e8e9734d64e9f979a1
Instruction Fuzzy Hash: 96C09B352803449FF3184780BD8AF107754A36CB01F444401F6895D5E3C7B11814FA54

Non-executed Functions

Function 005A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 005A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 005A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005A96C9
SendMessageW.USER32 ref: 005A96F2
GetKeyState.USER32(00000011), ref: 005A978B
GetKeyState.USER32(00000009), ref: 005A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005A97AE
GetKeyState.USER32(00000010), ref: 005A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005A97E9
SendMessageW.USER32 ref: 005A9810
SendMessageW.USER32(?,00001030,?,005A7E95), ref: 005A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 005A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005A9941
SetCapture.USER32(?), ref: 005A994A
ClientToScreen.USER32(?,?), ref: 005A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005A99D6
ReleaseCapture.USER32 ref: 005A99E1
GetCursorPos.USER32(?), ref: 005A9A19
ScreenToClient.USER32(?,?), ref: 005A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 005A9A80
SendMessageW.USER32 ref: 005A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 005A9AEB
SendMessageW.USER32 ref: 005A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 005A9B4A
GetCursorPos.USER32(?), ref: 005A9B68
ScreenToClient.USER32(?,?), ref: 005A9B75
GetParent.USER32(?), ref: 005A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 005A9BFA
SendMessageW.USER32 ref: 005A9C2B
ClientToScreen.USER32(?,?), ref: 005A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 005A9CDE
SendMessageW.USER32 ref: 005A9D01
ClientToScreen.USER32(?,?), ref: 005A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005A9D82

Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952

GetWindowLongW.USER32(?,000000F0), ref: 005A9E05

Strings

F, xrefs: 005A9D07
p#^, xrefs: 005A9990
@GUI_DRAGID, xrefs: 005A997D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#^
API String ID: 3429851547-1742403966
Opcode ID: 508a200880fb2dcc4a96c1f3b3d0f8ba6faf4fc5b40d4db587102515b123718b
Instruction ID: 8b808e43fcf4666124bd06d5fd4d09a42a9fe7d8a9a0dbda268f7e4305b14c51
Opcode Fuzzy Hash: 508a200880fb2dcc4a96c1f3b3d0f8ba6faf4fc5b40d4db587102515b123718b
Instruction Fuzzy Hash: 8E427E34604251AFDB25CF28CC84AAEBFE5FF9A310F140A19F6998B2A1D731E854DF51

Function 005A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 005A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 005A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 005A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 005A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 005A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 005A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005A4A7E
IsMenu.USER32(?), ref: 005A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005A4B20
GetWindowLongW.USER32(?,000000F0), ref: 005A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 005A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 005A4C82
wsprintfW.USER32 ref: 005A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 005A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 005A4D5A

Strings

%d/%02d/%02d, xrefs: 005A4CA8

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: ab5bb06dd890db35b6e2fb74b5729845433c4d161124ea0b2c6ad7967ee7c973
Instruction ID: ff3a53fc80c8389ccc4f5d2e9e7ab0a3bb3ed87342e9b58df4dc6d93e7d984d5
Opcode Fuzzy Hash: ab5bb06dd890db35b6e2fb74b5729845433c4d161124ea0b2c6ad7967ee7c973
Instruction Fuzzy Hash: 9312CC71600255ABEB258FA8DC49BAE7FF8BF86310F104529F516EB2E1DBB49940CF50

Function 0052F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0052F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0056F474
IsIconic.USER32(00000000), ref: 0056F47D
ShowWindow.USER32(00000000,00000009), ref: 0056F48A
SetForegroundWindow.USER32(00000000), ref: 0056F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0056F4AA
GetCurrentThreadId.KERNEL32 ref: 0056F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0056F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0056F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0056F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0056F4DE
SetForegroundWindow.USER32(00000000), ref: 0056F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F4F6
keybd_event.USER32(00000012,00000000), ref: 0056F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F50B
keybd_event.USER32(00000012,00000000), ref: 0056F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F519
keybd_event.USER32(00000012,00000000), ref: 0056F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0056F528
keybd_event.USER32(00000012,00000000), ref: 0056F52D
SetForegroundWindow.USER32(00000000), ref: 0056F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0056F557

Strings

Shell_TrayWnd, xrefs: 0056F46F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 99dcc326617ac6edcfe96143e748ccaf05a2417d214f9cd84eeb4c75766db03b
Instruction ID: 278717d20a80338e72325e7e96d7edf358076d615b21dfaf1c2bde6e3d2b49e1
Opcode Fuzzy Hash: 99dcc326617ac6edcfe96143e748ccaf05a2417d214f9cd84eeb4c75766db03b
Instruction Fuzzy Hash: 30311D71E40218BBEB216BB55C4AFBF7E6CEB59B50F100466FA01E71D1CAB15D00ABA0

Function 00571201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057170D
Part of subcall function 005716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0057173A
Part of subcall function 005716C3: GetLastError.KERNEL32 ref: 0057174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00571286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005712A8
CloseHandle.KERNEL32(?), ref: 005712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005712D1
GetProcessWindowStation.USER32 ref: 005712EA
SetProcessWindowStation.USER32(00000000), ref: 005712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00571310

Part of subcall function 005710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005711FC), ref: 005710D4
Part of subcall function 005710BF: CloseHandle.KERNEL32(?,?,005711FC), ref: 005710E9

Strings

default, xrefs: 0057130B
winsta0, xrefs: 005712CC
Z], xrefs: 00571392
, xrefs: 0057125A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z]
API String ID: 22674027-3859823317
Opcode ID: cd2d9275c718d7bd478246cdea08d36558a52b91fcd7898f05bad04266eb718b
Instruction ID: fcdd763ae2acfa499678418ae0f127607029247847ce67abfbfdbfc937ca58c6
Opcode Fuzzy Hash: cd2d9275c718d7bd478246cdea08d36558a52b91fcd7898f05bad04266eb718b
Instruction Fuzzy Hash: 4881AF71900609AFDF219FA8EC49FEE7FBAFF05700F148129F918A61A0D7318944EB64

Function 00570B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00571114
Part of subcall function 005710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571120
Part of subcall function 005710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 0057112F
Part of subcall function 005710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571136
Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0057114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00570BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00570C00
GetLengthSid.ADVAPI32(?), ref: 00570C17
GetAce.ADVAPI32(?,00000000,?), ref: 00570C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00570C6D
GetLengthSid.ADVAPI32(?), ref: 00570C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00570C8C
HeapAlloc.KERNEL32(00000000), ref: 00570C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00570CB4
CopySid.ADVAPI32(00000000), ref: 00570CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00570CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00570D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00570D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570D45
HeapFree.KERNEL32(00000000), ref: 00570D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570D55
HeapFree.KERNEL32(00000000), ref: 00570D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570D65
HeapFree.KERNEL32(00000000), ref: 00570D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00570D78
HeapFree.KERNEL32(00000000), ref: 00570D7F

Part of subcall function 00571193: GetProcessHeap.KERNEL32(00000008,00570BB1,?,00000000,?,00570BB1,?), ref: 005711A1
Part of subcall function 00571193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00570BB1,?), ref: 005711A8
Part of subcall function 00571193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00570BB1,?), ref: 005711B7

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 77b9a56704e2ddca1891660ce72c81f3d1bf958924dd6dd603c3fa942a30b92a
Instruction ID: beedb129fadc94d7be722a950c97dc8b2c039ac6c1c8008448bc0a75d78e36c9
Opcode Fuzzy Hash: 77b9a56704e2ddca1891660ce72c81f3d1bf958924dd6dd603c3fa942a30b92a
Instruction Fuzzy Hash: F4713C71A0020AEBDF10DFA5EC48FAEBFB8BF15310F148515E919A7291D771A905EB60

Function 0058EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(005ACC08), ref: 0058EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0058EB37
GetClipboardData.USER32(0000000D), ref: 0058EB43
CloseClipboard.USER32 ref: 0058EB4F
GlobalLock.KERNEL32(00000000), ref: 0058EB87
CloseClipboard.USER32 ref: 0058EB91
GlobalUnlock.KERNEL32(00000000), ref: 0058EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0058EBC9
GetClipboardData.USER32(00000001), ref: 0058EBD1
GlobalLock.KERNEL32(00000000), ref: 0058EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0058EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0058EC38
GetClipboardData.USER32(0000000F), ref: 0058EC44
GlobalLock.KERNEL32(00000000), ref: 0058EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0058EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0058EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0058ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0058ECF3
CountClipboardFormats.USER32 ref: 0058ED14
CloseClipboard.USER32 ref: 0058ED59

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9f0b9efbb33bc0988138c330b50c787ea237afe7d4e7eb8efb686105dd8d5992
Instruction ID: 0a8b4eff1b4c06f5b63da2787e81935f4f73e1d3a40baabb761e3da65b3ec795
Opcode Fuzzy Hash: 9f0b9efbb33bc0988138c330b50c787ea237afe7d4e7eb8efb686105dd8d5992
Instruction Fuzzy Hash: 5661BF34204202AFD300EF24D89AF6ABFB4BF95714F14451DF896A72A2DB31DD49DB62

Function 0058698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005869BE
FindClose.KERNEL32(00000000), ref: 00586A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00586A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00586A75

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00586AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00586ADF

Strings

%03d, xrefs: 00586DA2
%4d, xrefs: 00586BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00586B32
%02d, xrefs: 00586C00, 00586C0A, 00586C5A, 00586CAA, 00586CFA, 00586D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00586B6A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 941213a7484778ab32e6477e783abb961878883097c990a1b8d03eaa8b0e5402
Instruction ID: 6f7dfe815ac6d371e7caf7b60cfe1a6e556da292a00cf721f621d7a26a54f650
Opcode Fuzzy Hash: 941213a7484778ab32e6477e783abb961878883097c990a1b8d03eaa8b0e5402
Instruction Fuzzy Hash: ECD15F72508301AED314EBA4D895EAFBBECBF88704F04491DF985D7291EB34DA44CB62

Function 00589642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00589663
GetFileAttributesW.KERNEL32(?), ref: 005896A1
SetFileAttributesW.KERNEL32(?,?), ref: 005896BB
FindNextFileW.KERNEL32(00000000,?), ref: 005896D3
FindClose.KERNEL32(00000000), ref: 005896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0058974A
SetCurrentDirectoryW.KERNEL32(005D6B7C), ref: 00589768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00589772
FindClose.KERNEL32(00000000), ref: 0058977F
FindClose.KERNEL32(00000000), ref: 0058978F

Strings

*.*, xrefs: 005896F5

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 3e2b08dc0ec6f1249e52e93c13f7404d6bfc605f81c451f1b10f59454175141a
Instruction ID: e06b54ad8eba499b6b8a4fe478946e26cd636b6fb4b98312bde7f07f89520740
Opcode Fuzzy Hash: 3e2b08dc0ec6f1249e52e93c13f7404d6bfc605f81c451f1b10f59454175141a
Instruction Fuzzy Hash: C531A03654021A6ADF24AFB5DC49AEE7FACFF4A320F184156F915F21A0EB30DE448B54

Function 0058979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 005897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00589819
FindClose.KERNEL32(00000000), ref: 00589824
FindFirstFileW.KERNEL32(*.*,?), ref: 00589840
SetCurrentDirectoryW.KERNEL32(?), ref: 00589890
SetCurrentDirectoryW.KERNEL32(005D6B7C), ref: 005898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005898B8
FindClose.KERNEL32(00000000), ref: 005898C5
FindClose.KERNEL32(00000000), ref: 005898D5

Part of subcall function 0057DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0057DB00

Strings

*.*, xrefs: 0058983B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: af2324613f000af4f34e0b339afbc49c4d921261e59c532d40635e96c8dd665d
Instruction ID: bd9c7d75efeca15d4609e96e3d13370477dbf0bc7207b4d0043f2a5b7b236691
Opcode Fuzzy Hash: af2324613f000af4f34e0b339afbc49c4d921261e59c532d40635e96c8dd665d
Instruction Fuzzy Hash: 5431B23150021A6AEF20BFA4EC48AEE7FACBF46324F184156E954B2190DB30DE498F60

Function 0059BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0059BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0059BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0059C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0059C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0059C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0059C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0059C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0059C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0059C382
RegCloseKey.ADVAPI32(00000000), ref: 0059C38F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 12f6cb8e06b946a676f3e2c1aaa92d7764e4db79714c3a30b36b3be1adf104b6
Instruction ID: 2c5b2b5bcfe71e4df36ba936dd4ff594d412014c7c1d8cc7b451444b97c19a2f
Opcode Fuzzy Hash: 12f6cb8e06b946a676f3e2c1aaa92d7764e4db79714c3a30b36b3be1adf104b6
Instruction Fuzzy Hash: EC024C716042019FDB14DF28C895E2ABFE5BF89314F18889DF84ADB2A2D731ED45CB51

Function 00588195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00588257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00588267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00588273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00588310
SetCurrentDirectoryW.KERNEL32(?), ref: 00588324
SetCurrentDirectoryW.KERNEL32(?), ref: 00588356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0058838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00588395

Strings

*.*, xrefs: 0058839B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: d6cc8b3e27ef4d0c61ede0a983e01e97532d2a048b51cb7c252edefd544a757f
Instruction ID: 7c475f708cf66aeafc0f9aa510feada81e8ccd3ae88b66f64402f6417c7d0f99
Opcode Fuzzy Hash: d6cc8b3e27ef4d0c61ede0a983e01e97532d2a048b51cb7c252edefd544a757f
Instruction Fuzzy Hash: 47619E755043069FD710EF64C8459AEBBE9FF89310F448C1EF98993251EB31E945CB92

Function 0057D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2

Part of subcall function 0057E199: GetFileAttributesW.KERNEL32(?,0057CF95), ref: 0057E19A

FindFirstFileW.KERNEL32(?,?), ref: 0057D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0057D1DD
MoveFileW.KERNEL32(?,?), ref: 0057D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0057D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0057D237

Part of subcall function 0057D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0057D21C,?,?), ref: 0057D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0057D253
FindClose.KERNEL32(00000000), ref: 0057D264

Strings

\*.*, xrefs: 0057D0CD, 0057D0D6, 0057D0EB

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 981ac46e5a791924acc255902c2526183e3029e099f4aaf21512f0d6a05bafef
Instruction ID: abb67afadee84401edae6accc36a28799cbe7b2ee976bf676f5319ac9f69929a
Opcode Fuzzy Hash: 981ac46e5a791924acc255902c2526183e3029e099f4aaf21512f0d6a05bafef
Instruction Fuzzy Hash: B1617F3180110EAADF05EBE0D9569EDBFB5BF95300F648065E40677192EB316F49EB60

Function 0058ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0058ED91
EmptyClipboard.USER32 ref: 0058ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0058EDAC
CloseClipboard.USER32 ref: 0058EEA3

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 40d53d5340cc6b32305873e304a09ba6f718dcd2d885cd50c9533605a6c0aa24
Instruction ID: 2679c957e10afe80cde0d3453917f6397d87073afe060390bf164002e43e7b78
Opcode Fuzzy Hash: 40d53d5340cc6b32305873e304a09ba6f718dcd2d885cd50c9533605a6c0aa24
Instruction Fuzzy Hash: 8941CD35204611AFE320EF19D88AB19BFF5FF55318F14C499E8559B6A2C731EC46CB90

Function 0057E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057170D
Part of subcall function 005716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0057173A
Part of subcall function 005716C3: GetLastError.KERNEL32 ref: 0057174A

ExitWindowsEx.USER32(?,00000000), ref: 0057E932

Strings

SeShutdownPrivilege, xrefs: 0057E902
, xrefs: 0057E95C
@, xrefs: 0057E925
, xrefs: 0057E920

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: a99771954b857ff24358e4ebec0add295ba28f475951914c1b531091c3dc5599
Instruction ID: 3d8285020655f0a4da70bace973e2ded67ee0411d300582781ff7b42d04a9a9f
Opcode Fuzzy Hash: a99771954b857ff24358e4ebec0add295ba28f475951914c1b531091c3dc5599
Instruction Fuzzy Hash: 86012B33610311ABEB642678BC8BFBF7E5CB719740F148862FE07E21D1D6605C44A294

Function 00591204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00591276
WSAGetLastError.WSOCK32 ref: 00591283
bind.WSOCK32(00000000,?,00000010), ref: 005912BA
WSAGetLastError.WSOCK32 ref: 005912C5
closesocket.WSOCK32(00000000), ref: 005912F4
listen.WSOCK32(00000000,00000005), ref: 00591303
WSAGetLastError.WSOCK32 ref: 0059130D
closesocket.WSOCK32(00000000), ref: 0059133C

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 93cef969da796da19ceebe48d052bfd0765d33f128b678d9899cb982a21ae9fa
Instruction ID: 56d52344c05c3da122d081dace615ef2e542fafc9548844fce2655244f72d4ef
Opcode Fuzzy Hash: 93cef969da796da19ceebe48d052bfd0765d33f128b678d9899cb982a21ae9fa
Instruction Fuzzy Hash: F34190356005129FDB10EF24C488B69BFE6BF86318F188588E8568F2D2C775EC85CBE1

Function 0057D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2

Part of subcall function 0057E199: GetFileAttributesW.KERNEL32(?,0057CF95), ref: 0057E19A

FindFirstFileW.KERNEL32(?,?), ref: 0057D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0057D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0057D481
FindClose.KERNEL32(00000000), ref: 0057D498
FindClose.KERNEL32(00000000), ref: 0057D4A1

Strings

\*.*, xrefs: 0057D3F2

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f34b22bfdf773d1acf36d8306eb9f5f24247ba4289ec5df2495814359a51ab57
Instruction ID: 4492faea13b5ff97c31ade59f6912fc78f2ee5c62d5d3948ae735cf9f7e6cddb
Opcode Fuzzy Hash: f34b22bfdf773d1acf36d8306eb9f5f24247ba4289ec5df2495814359a51ab57
Instruction Fuzzy Hash: 2D315E710083429BD701EF64D8599EFBFF8BEE2310F448E1DF4D552191EB60AA49E762

Function 0054E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0054E645

Strings

1#IND, xrefs: 0054F83D
1#SNAN, xrefs: 0054F844
1#INF, xrefs: 0054F852
1#QNAN, xrefs: 0054F84B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2639705a19b7efbfbdc79290edc89de81fa9247dd7d632e2f70ab8793298c6b6
Instruction ID: d7c299d255602201832638ca2b45f1e9c501374821133afc9694ce96cd203bf3
Opcode Fuzzy Hash: 2639705a19b7efbfbdc79290edc89de81fa9247dd7d632e2f70ab8793298c6b6
Instruction Fuzzy Hash: 58C25A72E046298FDB25CE28DD457EABBB5FB84308F1445EAD44EE7241E774AE818F40

Function 0058648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005864DC
CoInitialize.OLE32(00000000), ref: 00586639
CoCreateInstance.OLE32(005AFCF8,00000000,00000001,005AFB68,?), ref: 00586650
CoUninitialize.OLE32 ref: 005868D4

Strings

.lnk, xrefs: 005864BA, 00586524, 005865E0

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: bbe80efea17fbf0fbc6bb42756f05901a670b9b3a31076152137757bb55c23c2
Instruction ID: 5766b7b8f55e185325d770d0756ba79b2c9bba50ec100200c57fc73ef7d1915b
Opcode Fuzzy Hash: bbe80efea17fbf0fbc6bb42756f05901a670b9b3a31076152137757bb55c23c2
Instruction Fuzzy Hash: C2D15871508202AFD314EF24C8959ABBBE8FFD8304F40496DF5959B291EB31ED46CB92

Function 005922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 005922E8

Part of subcall function 0058E4EC: GetWindowRect.USER32(?,?), ref: 0058E504

GetDesktopWindow.USER32 ref: 00592312
GetWindowRect.USER32(00000000), ref: 00592319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00592355
GetCursorPos.USER32(?), ref: 00592381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005923DF

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9d1260637b44cc3da4d6eabc3b645c9e0f00466f70fff01a2ab47522f6a789d8
Instruction ID: ab8ac46f56834affceed31e8a00d84c1667fcb0944549a94fd558a1e514ce4f2
Opcode Fuzzy Hash: 9d1260637b44cc3da4d6eabc3b645c9e0f00466f70fff01a2ab47522f6a789d8
Instruction Fuzzy Hash: A231DE72505316AFCB20DF14D849B5BBBE9FF89310F000919F98997191DB34EA08CB92

Function 00589B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00589B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00589C8B

Part of subcall function 00583874: GetInputState.USER32 ref: 005838CB
Part of subcall function 00583874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00583966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00589BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00589C75

Strings

*.*, xrefs: 00589B5D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: cd9f255d80474b86fe1570301180a13b01a275f20cd8a6e1a37f75b96a972c19
Instruction ID: 07fbb771b0ffd4c3c3a9af82df8d12deabb020f8fa5dcd6892961e74eb99cc67
Opcode Fuzzy Hash: cd9f255d80474b86fe1570301180a13b01a275f20cd8a6e1a37f75b96a972c19
Instruction Fuzzy Hash: 9341827190420AAFDF15EFA4C899AEEBFB4FF45310F244456E815B2191EB319E84CF60

Function 0052997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00529A4E
GetSysColor.USER32(0000000F), ref: 00529B23
SetBkColor.GDI32(?,00000000), ref: 00529B36

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: cfc1820b6075d2964fb69c04e2e07312443c4ce03a80680f2c5169791115175b
Instruction ID: ac4656bfb01e6cd28b69ffb343ad604e2269c08c0de2d28f6bac8cdb54a34805
Opcode Fuzzy Hash: cfc1820b6075d2964fb69c04e2e07312443c4ce03a80680f2c5169791115175b
Instruction Fuzzy Hash: 5AA1F770108668AEE728AA2CAC9CE7F2E9DFF8B354F140609F502D77D1CB259D41D276

Function 00591806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0059304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0059307A
Part of subcall function 0059304E: _wcslen.LIBCMT ref: 0059309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0059185D
WSAGetLastError.WSOCK32 ref: 00591884
bind.WSOCK32(00000000,?,00000010), ref: 005918DB
WSAGetLastError.WSOCK32 ref: 005918E6
closesocket.WSOCK32(00000000), ref: 00591915

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: d168676fb91f24ff3471d8d8bbbccabc734be448441b8c89ff6f3f23ac591d02
Instruction ID: 05880092055b06d605d49a7d571dcc5d2f2ce00b9ed365500872198dffedfaf6
Opcode Fuzzy Hash: d168676fb91f24ff3471d8d8bbbccabc734be448441b8c89ff6f3f23ac591d02
Instruction Fuzzy Hash: 9451B275A002119FEB10AF24C88AF6A7FE5BF85718F048458F9165F3C3D771AD418BA1

Function 005A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005A1CC0
IsWindowEnabled.USER32 ref: 005A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 005A1CDB
IsIconic.USER32 ref: 005A1CE9
IsZoomed.USER32 ref: 005A1CF7

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b469fcc648145d2b52dc5432de62c34b3b2abcf9c8e2eeb290e155a30e72acab
Instruction ID: f34e508edbbdb1eaaefda7c8993fd17b0bf63b156bacadfb7320719a1a8a5ba5
Opcode Fuzzy Hash: b469fcc648145d2b52dc5432de62c34b3b2abcf9c8e2eeb290e155a30e72acab
Instruction Fuzzy Hash: 1C218331740A115FE7208F2AC854B6E7FE5FF96325F198068E8468B351CB71DC46CB98

Function 00518060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 005183E8
ERCP, xrefs: 0051813C
VUUU, xrefs: 0051843C
VUUU, xrefs: 005183FA
VUUU, xrefs: 00555DF0

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 3d285605b9d2a835d8779eebecf449feb85882a3e5919315a1bb755c2c2b8fea
Instruction ID: 8874fc9844aae64ebedaa98193ed84187a1ffb264a53b44f0b5359c1225db84e
Opcode Fuzzy Hash: 3d285605b9d2a835d8779eebecf449feb85882a3e5919315a1bb755c2c2b8fea
Instruction Fuzzy Hash: F8A26A74A0061ACBEF348F58C8A47FDBBB1BB54311F6485AAD815A7281EB709D85CB90

Function 00578298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005782AA

Strings

|, xrefs: 005782DA
(, xrefs: 005782F0
tb], xrefs: 005784F4

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb]$|
API String ID: 1659193697-2890004336
Opcode ID: 46376787a8d577e13fa83f45828fde20f25ac97ab9f081cd557fe36c99ac45da
Instruction ID: 5acc7c38a10b7b2a8190d46f6875fdd5a946307441f06f886ed1275ad3df5567
Opcode Fuzzy Hash: 46376787a8d577e13fa83f45828fde20f25ac97ab9f081cd557fe36c99ac45da
Instruction Fuzzy Hash: B2323574A006059FCB28CF59D485A6ABBF0FF48710B15C96EE49ADB7A1EB70E941CB40

Function 0057AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0057AAAC
SetKeyboardState.USER32(00000080), ref: 0057AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0057AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0057AB88

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a7b9e625ec7f833e5aca24eb455cca2744b0684910cfdf10f673c823141e59c6
Instruction ID: 203444b62a6dd7f5777a18ed7777f30a5a573b2bb8ea35d84a609d72279fbf84
Opcode Fuzzy Hash: a7b9e625ec7f833e5aca24eb455cca2744b0684910cfdf10f673c823141e59c6
Instruction Fuzzy Hash: A8311530A40208AEFB25CA64E805BFE7FAABBC5310F04C21AF58D561D0D7748985E7A2

Function 0054BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0054BB7F

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

GetTimeZoneInformation.KERNEL32 ref: 0054BB91
WideCharToMultiByte.KERNEL32(00000000,?,005E121C,000000FF,?,0000003F,?,?), ref: 0054BC09
WideCharToMultiByte.KERNEL32(00000000,?,005E1270,000000FF,?,0000003F,?,?,?,005E121C,000000FF,?,0000003F,?,?), ref: 0054BC36

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 3e0bb39db75abc56f855f9cc5a7e44d331480d5ea5b354ca4a39f09303c81cc2
Instruction ID: dd9fdd6df58cb5e01f6c69140bd721f6b0eb12806f06c95152f79d0a78499e8c
Opcode Fuzzy Hash: 3e0bb39db75abc56f855f9cc5a7e44d331480d5ea5b354ca4a39f09303c81cc2
Instruction Fuzzy Hash: 9A31EF30904246DFDB08DF6ACCC08ADBFB8FF5631471446AAE190DB2A1C7309E45EB50

Function 0058CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0058CE89
GetLastError.KERNEL32(?,00000000), ref: 0058CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0058CEFE

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 1af3c0899514d57734c9cb63f95676ed35028d830c355d1843ef6a41a15f8789
Instruction ID: 717ba3dc2f06fa270d90f1c0f6ecd6b7908c38c7464b4538ed53b1bc01d854b1
Opcode Fuzzy Hash: 1af3c0899514d57734c9cb63f95676ed35028d830c355d1843ef6a41a15f8789
Instruction Fuzzy Hash: 7521B0715003059BE731EF65D949BA67FFCFB51314F10481EEA46E2151E774ED089B60

Function 00585C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00585CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00585D17
FindClose.KERNEL32(?), ref: 00585D5F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 79b0d09b92e178131098571a6b97c929de154670db76545494c35672081107c8
Instruction ID: 134cebc8f3110ba2196c20fb66a251dfaa7e2fd0af79521c5f21ed227a080329
Opcode Fuzzy Hash: 79b0d09b92e178131098571a6b97c929de154670db76545494c35672081107c8
Instruction Fuzzy Hash: 8351CC346046029FC714DF28C488E9ABBE4FF49314F14855EE99A8B3A2EB30ED44CF91

Function 00542622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0054271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00542724
UnhandledExceptionFilter.KERNEL32(?), ref: 00542731

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: afa0bad793a59e7ef57cef759c7177a981d01b9904b6c01d6fc933f25c2b7c4e
Instruction ID: a7e356534833ece82dee2b925e8f95037e498253b70cb1e6148de0dc3a26d460
Opcode Fuzzy Hash: afa0bad793a59e7ef57cef759c7177a981d01b9904b6c01d6fc933f25c2b7c4e
Instruction Fuzzy Hash: EA31C27490122DABCB21DF68DD887DCBBB8BF18310F5041EAE80CA6260E7309F859F44

Function 005851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00585238
SetErrorMode.KERNEL32(00000000), ref: 005852A1

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 302896f6692914c909f31026dc2ae98f794663d7dc9fff567ab0d280a3bf993f
Instruction ID: ccff98b3a51e8eda4305d98c6f91e0c6c59991862f3bc10c31d27e16c8ec55a6
Opcode Fuzzy Hash: 302896f6692914c909f31026dc2ae98f794663d7dc9fff567ab0d280a3bf993f
Instruction Fuzzy Hash: EC312C75A00619DFDB00EF54D888EADBFB5FF49314F048099E805AB362DB31E85ACB90

Function 005716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0052FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00530668
Part of subcall function 0052FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00530685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0057173A
GetLastError.KERNEL32 ref: 0057174A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 268f155e4c234fe2b6824220a25d3d7e0924c6bc417fc0e4814b7664d9f40f59
Instruction ID: de28525dfd52e3a4012d6f38bbe328d96869c7069b90e1cfbbb5f54c633fd75f
Opcode Fuzzy Hash: 268f155e4c234fe2b6824220a25d3d7e0924c6bc417fc0e4814b7664d9f40f59
Instruction Fuzzy Hash: 5911CEB2400305AFD718AF58EC8AD6ABBBDFF45714B20C52EE05A57281EB70BC419B24

Function 0057D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0057D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0057D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0057D650

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c8c7cfe43975fe371337c872d3ecfa002b006c502362fbed1bf106f54566f85b
Instruction ID: 97260a61659f020e052c7f1a407080e120ad8ae6da29ee8d527df9d05606bc67
Opcode Fuzzy Hash: c8c7cfe43975fe371337c872d3ecfa002b006c502362fbed1bf106f54566f85b
Instruction Fuzzy Hash: C2115E75E05228BFDB108F95EC45FAFBFBCEB45B50F108156F908E7290D6704A059BA1

Function 00571663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0057168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005716A1
FreeSid.ADVAPI32(?), ref: 005716B1

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 94809f7e001e4ed01662eaaf9c3d4e79071f6493883b96a9ddbf9ebd256bffaa
Instruction ID: 176b2a6727dfe6d7a91da12daf738ecc5d2fe21a0fde1488a30f27f53cf86fe0
Opcode Fuzzy Hash: 94809f7e001e4ed01662eaaf9c3d4e79071f6493883b96a9ddbf9ebd256bffaa
Instruction Fuzzy Hash: 89F0F47195030DFBDB00DFE49D89AAEBBBCFB08604F508565E501E2181E774AA489A54

Function 0056D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0056D28C

Strings

X64, xrefs: 0056D2A8

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 2f228e23243c86e7b0a3d14bb8becef993a5380fd53c8a845864ef320cfb6577
Instruction ID: 34cacf5799088c056a9b5001acc38c10fcd8f24555b7ad87b395c2364a787781
Opcode Fuzzy Hash: 2f228e23243c86e7b0a3d14bb8becef993a5380fd53c8a845864ef320cfb6577
Instruction Fuzzy Hash: 84D0CAB880116DEACB94CBA0EC8CDDEBBBCBB15305F100A92F506A2040EB3496489F20

Function 0053CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: fcaf572f7ff181801ed2caa820e665f338e686476372e5d8e27cefae35fad23e
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: E8020B72E002199BDF14CFA9C8906ADBFF5FF88314F25816AD819FB285D731AD418B94

Function 0051CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00560C40
p#^, xrefs: 0051CF7F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#^
API String ID: 0-3707816926
Opcode ID: 5c2919906132e98298bd135c688006b3cb8e7eb8045be21aa25c449b8d9b0fe3
Instruction ID: 2807d7fc1836201bd9873582010fc7f00350088419aac3f565dcc528cbf25a3d
Opcode Fuzzy Hash: 5c2919906132e98298bd135c688006b3cb8e7eb8045be21aa25c449b8d9b0fe3
Instruction Fuzzy Hash: 1C32C030940219DFEF14DF90D885AEEBFB9FF45304F108459E806AB292D736AD86CB60

Function 005868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00586918
FindClose.KERNEL32(00000000), ref: 00586961

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e6c2e0ca8263addc36a6ca751e9337bcb197e074e1814221ff7d3751d7a85301
Instruction ID: 92dfe15808c49cd0ccfba3780411d71d20029e8ed3f7a5579bcaf8d9de36e887
Opcode Fuzzy Hash: e6c2e0ca8263addc36a6ca751e9337bcb197e074e1814221ff7d3751d7a85301
Instruction Fuzzy Hash: D71190356042019FD710DF29D489A16BFE5FF89328F14C699E8699F7A2CB30EC45CB91

Function 005837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00594891,?,?,00000035,?), ref: 005837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00594891,?,?,00000035,?), ref: 005837F4

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5d17485d37c43069677baa574a1c4a16a3a15347ea22a6834d119a8776dc343d
Instruction ID: a6f8d38a89109b4b3722f9ac3bc4949022bce98d14447c11d8e8f71cdf397620
Opcode Fuzzy Hash: 5d17485d37c43069677baa574a1c4a16a3a15347ea22a6834d119a8776dc343d
Instruction Fuzzy Hash: 7DF0EC706042152AE71067654C4DFDB3F9DFFC5B61F000175F905E2281D9609D48C7B0

Function 0057B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0057B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0057B270

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d6c9a3098517764197ed367059a9a3fc2298711e6847290b8a8b1457c0d377f6
Instruction ID: fa89f0b1796bb0ab1996e96e381df4b7cf9068d0bd5d1a0053f1d3c435a53079
Opcode Fuzzy Hash: d6c9a3098517764197ed367059a9a3fc2298711e6847290b8a8b1457c0d377f6
Instruction Fuzzy Hash: 8CF01D7580424DABEB059FA0D805BBE7FB4FF09309F008409F955A5192C3798615AF94

Function 005710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005711FC), ref: 005710D4
CloseHandle.KERNEL32(?,?,005711FC), ref: 005710E9

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: adf179083da7eeff2f1bf6227ec6ab508c122a2012d43d70ab697419a8251e67
Instruction ID: a9e1315f29f48ef04729aaa2af4eb85710bee989828662f9d1c3b48f999a4b77
Opcode Fuzzy Hash: adf179083da7eeff2f1bf6227ec6ab508c122a2012d43d70ab697419a8251e67
Instruction Fuzzy Hash: 52E04F32004611AFE7252B11FC09E777FA9FF05310B10882EF4A6804B1DB626C90EB14

Function 0054676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00546766,?,?,00000008,?,?,0054FEFE,00000000), ref: 00546998

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3357750c0ab2e6af0b31174f06c12230542f54d63663b26414352bf51180f7f7
Instruction ID: e93db8e4fcc023ba353d75c78951ea72e99b9ec9bab419e8e81d22aa8d84caec
Opcode Fuzzy Hash: 3357750c0ab2e6af0b31174f06c12230542f54d63663b26414352bf51180f7f7
Instruction Fuzzy Hash: 22B15B31610609DFD719CF28C48ABA57FE0FF46368F258658E899CF2A2C335E991CB41

Function 0052B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0056851F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c29aeaa10a3b8757eb0b3a25c3dba397e8bdc29f2395b5372918fb1970a2307d
Instruction ID: 5c5ea13b49c66f16d1b63a57e8fba0a420e47a1751b90403a6d7de34746e4853
Opcode Fuzzy Hash: c29aeaa10a3b8757eb0b3a25c3dba397e8bdc29f2395b5372918fb1970a2307d
Instruction Fuzzy Hash: 06126F75A002299BDF14DF58D8806FEBBF5FF59310F14859AE849EB291DB309E81CB90

Function 0058EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0058EABD

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 29d3f5c5edae03487e1152dba985bcaef45ea37853529fdc6d3b2e9f4fc4aa5f
Instruction ID: e0f9a164f958f0ca17671cc39ec2c663608b09c8ba1b3d21dd89983a255078c8
Opcode Fuzzy Hash: 29d3f5c5edae03487e1152dba985bcaef45ea37853529fdc6d3b2e9f4fc4aa5f
Instruction Fuzzy Hash: EAE01A312002059FE710EF59D809E9ABFE9BF99760F008416FC49D7351DA70E8818B90

Function 005309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005303EE), ref: 005309DA

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b3f36f544b99d9c6b1559afa8afdcb790843ca92c1cb2ad20033261c2e6b4bd1
Instruction ID: 6731236b3270fc932bb6af9d12ce81b37ddfd2a7c636efd81943a63c572f10a7
Opcode Fuzzy Hash: b3f36f544b99d9c6b1559afa8afdcb790843ca92c1cb2ad20033261c2e6b4bd1
Instruction Fuzzy Hash:

Function 0053781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0053798B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: c72c856620d185eec990f30792e31fc344d2dd9885a31418fd5a459ee12330fe
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: EF516CF2E0C74E6BDB384568485E7BEAFC5BB5E340F180A49E982D7382C615DE01D355

Function 00582046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&^, xrefs: 00582053

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: 0&^
API String ID: 0-2485633877
Opcode ID: 5af71e68612727b4e5fa3f6dbadaf52ecfd76c5220cf684b171f7574932750c1
Instruction ID: efdc774adaccca72eb9060afdade9a38d72b28871f9316ceea658329a6bf2281
Opcode Fuzzy Hash: 5af71e68612727b4e5fa3f6dbadaf52ecfd76c5220cf684b171f7574932750c1
Instruction Fuzzy Hash: DE21D5326206518BDB2CCE79C82767A77E9B7A4310F14862EE4A7D73D0DE75A904DB80

Function 00546DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00957ae74aa333ff8c3dc43abd3739c771e98fcd8703cc6cbd7d3cb4f14d8e05
Instruction ID: 538f5619cd2a7d3531932885f1cc1bcf4285ae1ba0609ecf9c2ad259a2c2a61d
Opcode Fuzzy Hash: 00957ae74aa333ff8c3dc43abd3739c771e98fcd8703cc6cbd7d3cb4f14d8e05
Instruction Fuzzy Hash: 28324431D28F054EDB639634C8223756A8DAFBB3C9F15C737E81AB59A6EB28D4835100

Function 0052CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26b292e18e9a31aba765d270f4dac030bdf9532f4e90805d650d0f913a44ca5
Instruction ID: b4b2b6670b6a46d1a79ee37a0e1aa948a2e83be6d24b152ad9c1740506fc0e11
Opcode Fuzzy Hash: c26b292e18e9a31aba765d270f4dac030bdf9532f4e90805d650d0f913a44ca5
Instruction Fuzzy Hash: 1132F232A001658BDF28CE69D89467D7FA1FF46300F28856BD4EADB792D630DE81DB41

Function 00517920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df1b824fb751c9db15ead2e2fd79593689761ceeae5943f05296bfb10717a87
Instruction ID: 96dd3358aa9fc646125892e4841828c2d94547bf540d9603fff657cf00a5c39a
Opcode Fuzzy Hash: 3df1b824fb751c9db15ead2e2fd79593689761ceeae5943f05296bfb10717a87
Instruction Fuzzy Hash: 5A22B270A0460ADFEF14CF68D865AEEBBB5FF48301F10452AE816A7291FB35AD54CB50

Function 005191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eefd29311bdfc5e2b1a939e7aa14834f950f7d5fe8fc793def21c9357b82f89
Instruction ID: 569ac9444a55ac1755b9f3dd5d1498b080e8181ff17d1e372d27061967790070
Opcode Fuzzy Hash: 7eefd29311bdfc5e2b1a939e7aa14834f950f7d5fe8fc793def21c9357b82f89
Instruction Fuzzy Hash: 5E02E8B1E00206EBDB05DF64D896AADBFB5FF44300F11856AE816DB291E731EE54CB81

Function 00549EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d3c448c2e139b22669b5166a571d3b3392011c7eb69f44aa409d58a05b9351
Instruction ID: 43689ecb61664e5e97fa1c94646beb450a6b8f5327d9f42c02463b4ded8d3e6b
Opcode Fuzzy Hash: c6d3c448c2e139b22669b5166a571d3b3392011c7eb69f44aa409d58a05b9351
Instruction Fuzzy Hash: 39B1F120D2AF404DD36396398831337BA8CAFBB2C5F91DB1BFC1674D22EB2295879140

Function 00531C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 776d4bfb39ffbb146dbfbe42a2817ca310806dc6a39976d7a32dd73c1ccdbdd8
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C99178732084A34ADB69463E857407EFFE17A923A1B1A0B9DD4F2CB1C5FE24C954E724

Function 00531F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 21dd7a12f8bab4f36f37a557ca2ede4b7b7922c3b09308ea03b2df29e2c0caf0
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 9B916A732098A349D76D423D857803DFFE16A923A1F1A079DD4F2CB1C5EE24D568D624

Function 005319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 7b77afa1755ae17b678c8bd0505fc09574663a2bd1a061a7bc7b46bc2d8ed6bc
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: AF9145732098E34EDB2D467A857403EFFE16A923A2B1A079DD4F2CB1C1FE14C964D624

Function 00537A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3209de6a0479d8c7121cce61d4ff15b729cf2cde7c9c6418e444edb62aa39ce3
Instruction ID: 50b5a69be44266dd7199e9a4bae3124cc82c5a7c218cc410244de98d72f1e9bc
Opcode Fuzzy Hash: 3209de6a0479d8c7121cce61d4ff15b729cf2cde7c9c6418e444edb62aa39ce3
Instruction Fuzzy Hash: 2F612AF1E0874E66DA785A2849B5BBEAFA4FF8D700F140D19F843DB281E6119E41C355

Function 00537CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d23281aacfac0db8e7e6f601fe87771f226220c8713d3e1c89d8b957484ce0d
Instruction ID: 7d8ec3ef7723152945fb120f14bb6e29f03ec609e5954a80949da84eca23569d
Opcode Fuzzy Hash: 1d23281aacfac0db8e7e6f601fe87771f226220c8713d3e1c89d8b957484ce0d
Instruction Fuzzy Hash: 0A6159F1E0870E66DE389A388895BBE2F98FF8E700F540D59F943DB281DA129D42D255

Function 00531706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 9127fcd35deeb4ff7a40335f90b528e0281608f6d0aa8d038872b92310812c53
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E98188336094A34DDB6D863A853453EFFE17A923A1B1E079DD4F2CB1C1EE24C554D628

Function 00592ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00592B30
DeleteObject.GDI32(00000000), ref: 00592B43
DestroyWindow.USER32 ref: 00592B52
GetDesktopWindow.USER32 ref: 00592B6D
GetWindowRect.USER32(00000000), ref: 00592B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00592CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00592CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592CF8
GetClientRect.USER32(00000000,?), ref: 00592D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00592D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D80
GlobalLock.KERNEL32(00000000), ref: 00592D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592D98
GlobalUnlock.KERNEL32(00000000), ref: 00592DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592DA8
GlobalFree.KERNEL32(00000000), ref: 00592DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,005AFC38,00000000), ref: 00592DDB
GlobalFree.KERNEL32(00000000), ref: 00592DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00592E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00592E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00592E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0059303F

Strings

AutoIt v3, xrefs: 00592CF2
, xrefs: 00592FC5
static, xrefs: 00592D3A, 00592E91
DISPLAY, xrefs: 00592EA2

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a0d8ee3343bf5e662cf8efd1b1dad136db9ec5ae20eea3d995f91820ea175789
Instruction ID: a658e8566bcbc5b811fbe4d2704be4992c5475ad60fac345de20c93da84dea2f
Opcode Fuzzy Hash: a0d8ee3343bf5e662cf8efd1b1dad136db9ec5ae20eea3d995f91820ea175789
Instruction Fuzzy Hash: 75027A71A00209AFDB14DF68CC89EAE7FB9FF49310F008558F915AB2A1DB74AD45DB60

Function 005A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 005A712F
GetSysColorBrush.USER32(0000000F), ref: 005A7160
GetSysColor.USER32(0000000F), ref: 005A716C
SetBkColor.GDI32(?,000000FF), ref: 005A7186
SelectObject.GDI32(?,?), ref: 005A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 005A71C0
GetSysColor.USER32(00000010), ref: 005A71C8
CreateSolidBrush.GDI32(00000000), ref: 005A71CF
FrameRect.USER32(?,?,00000000), ref: 005A71DE
DeleteObject.GDI32(00000000), ref: 005A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 005A7230
FillRect.USER32(?,?,?), ref: 005A7262
GetWindowLongW.USER32(?,000000F0), ref: 005A7284

Part of subcall function 005A73E8: GetSysColor.USER32(00000012), ref: 005A7421
Part of subcall function 005A73E8: SetTextColor.GDI32(?,?), ref: 005A7425
Part of subcall function 005A73E8: GetSysColorBrush.USER32(0000000F), ref: 005A743B
Part of subcall function 005A73E8: GetSysColor.USER32(0000000F), ref: 005A7446
Part of subcall function 005A73E8: GetSysColor.USER32(00000011), ref: 005A7463
Part of subcall function 005A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005A7471
Part of subcall function 005A73E8: SelectObject.GDI32(?,00000000), ref: 005A7482
Part of subcall function 005A73E8: SetBkColor.GDI32(?,00000000), ref: 005A748B
Part of subcall function 005A73E8: SelectObject.GDI32(?,?), ref: 005A7498
Part of subcall function 005A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005A74B7
Part of subcall function 005A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005A74CE
Part of subcall function 005A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005A74DB

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: e495c7623fa1525b9899bbbd19335958371dffef6ca14c58a27d130bded609a7
Instruction ID: 9e0bcbd9bb9c35c7f9045a8e5b9d3a3e4844c77660121f3b47190b4ba9668048
Opcode Fuzzy Hash: e495c7623fa1525b9899bbbd19335958371dffef6ca14c58a27d130bded609a7
Instruction Fuzzy Hash: 96A19C72508305AFDB009F60DC48A6FBFE9FF9E320F100A19FA62961A1D730E948DB51

Function 00528D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00528E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00566AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00566AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00566F43

Part of subcall function 00528F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00528BE8,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 00528FC5

SendMessageW.USER32(?,00001053), ref: 00566F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00566F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00566FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00566FB7

Strings

0, xrefs: 00566DCF

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: c86afaa39f83b6e2f73581394125333b95f84c4efadbc434a888d0b833933765
Instruction ID: f4de8b26466931e39962bd73c3442262321286c3043d3a9156dd4324a2c4ea55
Opcode Fuzzy Hash: c86afaa39f83b6e2f73581394125333b95f84c4efadbc434a888d0b833933765
Instruction Fuzzy Hash: 0C129B30601651EFDB25CF14D888BBABFE9FF5A300F144569E485CB2A2CB32AC55DB91

Function 00592711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0059273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0059286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00592900
GetClientRect.USER32(00000000,?), ref: 0059290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00592955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00592964
GetStockObject.GDI32(00000011), ref: 00592974
SelectObject.GDI32(00000000,00000000), ref: 00592978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00592988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00592991
DeleteDC.GDI32(00000000), ref: 0059299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 005929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00592A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00592A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00592A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00592A77
GetStockObject.GDI32(00000011), ref: 00592A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00592A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00592A97

Strings

AutoIt v3, xrefs: 005928F8
static, xrefs: 0059294F, 00592A71
DISPLAY, xrefs: 0059295A
msctls_progress32, xrefs: 00592A13

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 2bd84887d2d0ebc291479d75db7d456c73165498930e3a0e3cd3a44019db8e54
Instruction ID: ea1cfc400f18c441bae5644aa6780bcb876581a182681f117f3de12bcfcece12
Opcode Fuzzy Hash: 2bd84887d2d0ebc291479d75db7d456c73165498930e3a0e3cd3a44019db8e54
Instruction Fuzzy Hash: 30B14A71A00219BFEB14DFA8CC89EAE7BA9FB59710F008515F915EB290D770AD44CBA4

Function 00584ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00584AED
GetDriveTypeW.KERNEL32(?,005ACB68,?,\\.\,005ACC08), ref: 00584BCA
SetErrorMode.KERNEL32(00000000,005ACB68,?,\\.\,005ACC08), ref: 00584D36

Strings

1394, xrefs: 00584C9F
SSA, xrefs: 00584CA6
\\.\, xrefs: 00584B3F
SSD, xrefs: 00584C4A
CDROM, xrefs: 00584BFB
SAS, xrefs: 00584CC9
SATA, xrefs: 00584CD0
Network, xrefs: 00584C02
SCSI, xrefs: 00584C8A
PhysicalDrive, xrefs: 00584B76
USB, xrefs: 00584CB4
RAMDisk, xrefs: 00584BF4
Unknown, xrefs: 00584BED, 00584C83
ATA, xrefs: 00584C98
FileBackedVirtual, xrefs: 00584CEC
Virtual, xrefs: 00584CE5
MMC, xrefs: 00584CDE
RAID, xrefs: 00584CBB
iSCSI, xrefs: 00584CC2
Fixed, xrefs: 00584C09
Removable, xrefs: 00584C10, 00584C15
ATAPI, xrefs: 00584C91
Fibre, xrefs: 00584CAD

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0f675184068f30a067ee6eb4d245cfc2c0f77a0779eb0a8264397a33c53efaf3
Instruction ID: a4fe4a10574a2f80bbe6cb3e0c7aae25122c1ee87098477094d33ddda477cca2
Opcode Fuzzy Hash: 0f675184068f30a067ee6eb4d245cfc2c0f77a0779eb0a8264397a33c53efaf3
Instruction Fuzzy Hash: 9F619F306052079BCB24FF28DA859A8BFB5BB44300B248817EC06BB391DB71ED42DF51

Function 005A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 005A7421
SetTextColor.GDI32(?,?), ref: 005A7425
GetSysColorBrush.USER32(0000000F), ref: 005A743B
GetSysColor.USER32(0000000F), ref: 005A7446
CreateSolidBrush.GDI32(?), ref: 005A744B
GetSysColor.USER32(00000011), ref: 005A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 005A7471
SelectObject.GDI32(?,00000000), ref: 005A7482
SetBkColor.GDI32(?,00000000), ref: 005A748B
SelectObject.GDI32(?,?), ref: 005A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 005A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 005A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 005A7572
DrawFocusRect.USER32(?,?), ref: 005A757D
GetSysColor.USER32(00000011), ref: 005A758E
SetTextColor.GDI32(?,00000000), ref: 005A7596
DrawTextW.USER32(?,005A70F5,000000FF,?,00000000), ref: 005A75A8
SelectObject.GDI32(?,?), ref: 005A75BF
DeleteObject.GDI32(?), ref: 005A75CA
SelectObject.GDI32(?,?), ref: 005A75D0
DeleteObject.GDI32(?), ref: 005A75D5
SetTextColor.GDI32(?,?), ref: 005A75DB
SetBkColor.GDI32(?,?), ref: 005A75E5

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9b5707a3c4ff48b5c4cf9c4dba9b8b1f77cc3c1142d4a5c4a50eb0c17a25add5
Instruction ID: fd6aa1b34001fde29dca1707c8de140ed363b044908c8989d770abc0267c3d0f
Opcode Fuzzy Hash: 9b5707a3c4ff48b5c4cf9c4dba9b8b1f77cc3c1142d4a5c4a50eb0c17a25add5
Instruction Fuzzy Hash: 19614A72D04218AFDF019FA4DC49AAEBFB9FF0E320F114525F915AB2A1D7749940DB90

Function 005A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005A1128
GetDesktopWindow.USER32 ref: 005A113D
GetWindowRect.USER32(00000000), ref: 005A1144
GetWindowLongW.USER32(?,000000F0), ref: 005A1199
DestroyWindow.USER32(?), ref: 005A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 005A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 005A1245
IsWindowVisible.USER32(00000000), ref: 005A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005A12D0
GetWindowRect.USER32(00000000,?), ref: 005A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 005A130E
GetMonitorInfoW.USER32(00000000,?), ref: 005A1328
CopyRect.USER32(?,?), ref: 005A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 005A13AA

Strings

tooltips_class32, xrefs: 005A11E6
0, xrefs: 005A10D3
(, xrefs: 005A131B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 47b56bf184305f637032142a3dcff30c7487bbed3e454ac0d3ea40623ecda33c
Instruction ID: 198b70755214fe71dde5ade3987a4bcd251b9b3215ad0fd46f9e56ff55373691
Opcode Fuzzy Hash: 47b56bf184305f637032142a3dcff30c7487bbed3e454ac0d3ea40623ecda33c
Instruction Fuzzy Hash: D9B18E71608741AFE704DF64C888BAEBFE5FF89350F008919F9999B261D731E844CB95

Function 00528891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00528968
GetSystemMetrics.USER32(00000007), ref: 00528970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0052899B
GetSystemMetrics.USER32(00000008), ref: 005289A3
GetSystemMetrics.USER32(00000004), ref: 005289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00528A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00528A3C
GetClientRect.USER32(00000000,000000FF), ref: 00528A5A
GetStockObject.GDI32(00000011), ref: 00528A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00528A81

Part of subcall function 0052912D: GetCursorPos.USER32(?), ref: 00529141
Part of subcall function 0052912D: ScreenToClient.USER32(00000000,?), ref: 0052915E
Part of subcall function 0052912D: GetAsyncKeyState.USER32(00000001), ref: 00529183
Part of subcall function 0052912D: GetAsyncKeyState.USER32(00000002), ref: 0052919D

SetTimer.USER32(00000000,00000000,00000028,005290FC), ref: 00528AA8

Strings

AutoIt v3 GUI, xrefs: 00528A20

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d5d970c422ca8c4c55f010799f74d9583bce0dcc5143c72287e03b715905b41b
Instruction ID: a49518bc8308b6110373f55120e4a08c53023691890e86ad0f41bf4d57921c7d
Opcode Fuzzy Hash: d5d970c422ca8c4c55f010799f74d9583bce0dcc5143c72287e03b715905b41b
Instruction Fuzzy Hash: AAB17971A0021A9FDB14DFA8DD89BAE7FB5FB49314F104229FA15EB2D0DB30A840DB55

Function 00570D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00571114
Part of subcall function 005710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571120
Part of subcall function 005710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 0057112F
Part of subcall function 005710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571136
Part of subcall function 005710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0057114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00570DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00570E29
GetLengthSid.ADVAPI32(?), ref: 00570E40
GetAce.ADVAPI32(?,00000000,?), ref: 00570E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00570E96
GetLengthSid.ADVAPI32(?), ref: 00570EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00570EB5
HeapAlloc.KERNEL32(00000000), ref: 00570EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00570EDD
CopySid.ADVAPI32(00000000), ref: 00570EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00570F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00570F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00570F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570F6E
HeapFree.KERNEL32(00000000), ref: 00570F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570F7E
HeapFree.KERNEL32(00000000), ref: 00570F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00570F8E
HeapFree.KERNEL32(00000000), ref: 00570F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00570FA1
HeapFree.KERNEL32(00000000), ref: 00570FA8

Part of subcall function 00571193: GetProcessHeap.KERNEL32(00000008,00570BB1,?,00000000,?,00570BB1,?), ref: 005711A1
Part of subcall function 00571193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00570BB1,?), ref: 005711A8
Part of subcall function 00571193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00570BB1,?), ref: 005711B7

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bea69d52af77047b49f5a6392c53582e99e784c421afece7c01ef645d96fe983
Instruction ID: 94147933d3616d56b47a737123f6dcf21e42dfbca505811c516e75b67ece4b5c
Opcode Fuzzy Hash: bea69d52af77047b49f5a6392c53582e99e784c421afece7c01ef645d96fe983
Instruction Fuzzy Hash: 20714B72A0020AEBDF20DFA5EC48BAEBFB8BF15310F148115F919A6191D7719A09DB60

Function 0059C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,005ACC08,00000000,?,00000000,?,?), ref: 0059C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0059C5A4
_wcslen.LIBCMT ref: 0059C5F4
_wcslen.LIBCMT ref: 0059C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0059C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0059C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0059C84D
RegCloseKey.ADVAPI32(?), ref: 0059C881
RegCloseKey.ADVAPI32(00000000), ref: 0059C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0059C960

Strings

REG_DWORD, xrefs: 0059C804
REG_EXPAND_SZ, xrefs: 0059C5CD
REG_BINARY, xrefs: 0059C913
REG_QWORD, xrefs: 0059C8C3
REG_MULTI_SZ, xrefs: 0059C6F5
REG_SZ, xrefs: 0059C644

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: ecd562a3499526a69a0238dd3215be9ca8ecb7fcacc5067f09f87d8eadb11a20
Instruction ID: 65d6091ea8e7ebefa0a227b30dc96ce80afb7bf4a83d511ccdbefd82c9d558a1
Opcode Fuzzy Hash: ecd562a3499526a69a0238dd3215be9ca8ecb7fcacc5067f09f87d8eadb11a20
Instruction Fuzzy Hash: 891248356042029FDB14DF18C895A6ABFE5FF88714F05885DF85A9B3A2DB31ED81CB81

Function 005A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005A09C6
_wcslen.LIBCMT ref: 005A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005A0A54
_wcslen.LIBCMT ref: 005A0A8A
_wcslen.LIBCMT ref: 005A0B06
_wcslen.LIBCMT ref: 005A0B81

Part of subcall function 0052F9F2: _wcslen.LIBCMT ref: 0052F9FD

Part of subcall function 00572BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00572BFA

Strings

EXPAND, xrefs: 005A0BF8
GETITEMCOUNT, xrefs: 005A0C1E
GETSELECTED, xrefs: 005A0C4E
GETTOTALCOUNT, xrefs: 005A09F2, 005A0A17
SELECT, xrefs: 005A0D11
ISCHECKED, xrefs: 005A0CE1
UNCHECK, xrefs: 005A0D3E
COLLAPSE, xrefs: 005A0B01, 005A0B1C
GETTEXT, xrefs: 005A0C97
CHECK, xrefs: 005A0A85, 005A0AA0
EXISTS, xrefs: 005A0B7C, 005A0B97

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 183a11114ebdba956d1e227a35ebcf89a2938ea692ca679c3ecc26221646e1a4
Instruction ID: 0b84ee3c1e562423bf36c7d2a3e3ff1fe8f90e3f4bb890a435a2b89ac42ce134
Opcode Fuzzy Hash: 183a11114ebdba956d1e227a35ebcf89a2938ea692ca679c3ecc26221646e1a4
Instruction Fuzzy Hash: 0EE17A312183069FC714DF28C45096EBBE2BF9A314F14895DF8969B3A2D731ED85CB91

Function 0059C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
_wcslen.LIBCMT ref: 0059C9F1
_wcslen.LIBCMT ref: 0059CA68
_wcslen.LIBCMT ref: 0059CA9E
_wcslen.LIBCMT ref: 0059CAF9
_wcslen.LIBCMT ref: 0059CB2F
_wcslen.LIBCMT ref: 0059CB7F

Strings

HKCC, xrefs: 0059CBAC
HKCU, xrefs: 0059CBCE
HKEY_CLASSES_ROOT, xrefs: 0059CAF3, 0059CAF8
HKU, xrefs: 0059CBF0
HKCR, xrefs: 0059CB29, 0059CB2E
HKEY_LOCAL_MACHINE, xrefs: 0059CA62, 0059CA67
HKEY_USERS, xrefs: 0059CBDF
HKLM, xrefs: 0059CA98, 0059CA9D
HKEY_CURRENT_CONFIG, xrefs: 0059CB79, 0059CB7E
HKEY_CURRENT_USER, xrefs: 0059CBBD

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 127438a9f410792700a45c4835133499e74ab092614900d6fa17821f88732fa9
Instruction ID: eaf357bb85fa78da58079f1accf41328e4737ca79a2a4b9a844b8bb73652b882
Opcode Fuzzy Hash: 127438a9f410792700a45c4835133499e74ab092614900d6fa17821f88732fa9
Instruction Fuzzy Hash: 5D71E23260016B8BCF20DE7CC9515BE3FA2BFA5764F650529F8669B284E635CD84C7A0

Function 005A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005A835A
_wcslen.LIBCMT ref: 005A836E
_wcslen.LIBCMT ref: 005A8391
_wcslen.LIBCMT ref: 005A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,005A361A,?), ref: 005A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005A8501
FreeLibrary.KERNEL32(?), ref: 005A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005A851D
DestroyIcon.USER32(?), ref: 005A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005A8555

Strings

.icl, xrefs: 005A8368
.exe, xrefs: 005A8388
.dll, xrefs: 005A83AB

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 8dcef1b7d0d98209c2095154804ca46b79036a4fbb0d84f637fee62daa3745be
Instruction ID: 4000e39377e1ed38495077e0679b0884a2ba5d4673d1438b79dc369000e5dc70
Opcode Fuzzy Hash: 8dcef1b7d0d98209c2095154804ca46b79036a4fbb0d84f637fee62daa3745be
Instruction Fuzzy Hash: 9F61E07190020ABFEB14DF64CC45BBE7FA8FB49721F10450AF815DA1D1EB74A980DBA0

Function 00517778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 0055528C
#ce, xrefs: 005178ED
#pragma compile, xrefs: 005177D3
', xrefs: 00555169
#requireadmin, xrefs: 005177FF
#OnAutoItStartRegister, xrefs: 00517817
#comments-end, xrefs: 005178D9
#notrayicon, xrefs: 005177E7
#include-once, xrefs: 0051782F
#include, xrefs: 00517847
Bad directive syntax error, xrefs: 0055519A
", xrefs: 00555153
Cannot parse #include, xrefs: 00555279
#comments-start, xrefs: 0051785F, 005178B1
#cs, xrefs: 00517873, 005178C5

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 23e1185765fcdb0110c6cddf5a56448abe5d3fa94c39c3b78a9f952bdc06ed47
Instruction ID: 8b0ea2b4074395fc69489bc7cb3bfefd18196bf34bccab275f2d21d2cdcfb67c
Opcode Fuzzy Hash: 23e1185765fcdb0110c6cddf5a56448abe5d3fa94c39c3b78a9f952bdc06ed47
Instruction Fuzzy Hash: 5B81E67160460ABBEB20AF64DC56FEE3F78FF59300F044025F905AA192EB70D985D7A1

Function 00583E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00583EF8
_wcslen.LIBCMT ref: 00583F03
_wcslen.LIBCMT ref: 00583F5A
_wcslen.LIBCMT ref: 00583F98
GetDriveTypeW.KERNEL32(?), ref: 00583FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0058401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00584059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00584087

Strings

wait, xrefs: 00584044
open, xrefs: 00583F54, 00583F59
close cd wait, xrefs: 00584072
type cdaudio alias cd wait, xrefs: 00584001
closed, xrefs: 00583F08, 00583F2D, 00583F46, 00583F7E, 00583F97
set cd door , xrefs: 00584028
close, xrefs: 00583EFE, 00583F18
open , xrefs: 00583FE5

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: b85a5ea33abb4c7150b880d2cbb4294d5dc32ddfa338ffaf67ef83e1cd37357b
Instruction ID: 215ecb3d53d929f388a7880e06f5c80c20b296177a816379dafcab293c2bd361
Opcode Fuzzy Hash: b85a5ea33abb4c7150b880d2cbb4294d5dc32ddfa338ffaf67ef83e1cd37357b
Instruction Fuzzy Hash: A97190316042029FD310EF24C8859AABFE4FF94754F10492EF995A7261EB35ED46CB91

Function 00575A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00575A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00575A40
SetWindowTextW.USER32(?,?), ref: 00575A57
GetDlgItem.USER32(?,000003EA), ref: 00575A6C
SetWindowTextW.USER32(00000000,?), ref: 00575A72
GetDlgItem.USER32(?,000003E9), ref: 00575A82
SetWindowTextW.USER32(00000000,?), ref: 00575A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00575AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00575AC3
GetWindowRect.USER32(?,?), ref: 00575ACC
_wcslen.LIBCMT ref: 00575B33
SetWindowTextW.USER32(?,?), ref: 00575B6F
GetDesktopWindow.USER32 ref: 00575B75
GetWindowRect.USER32(00000000), ref: 00575B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00575BD3
GetClientRect.USER32(?,?), ref: 00575BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00575C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00575C2F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 30612cc84018b78f48cf7f01230e89490f7eba844d435360fa553fc67054d6f2
Instruction ID: f717d6a50677cd11ac83ddbc175e8d267dfc15700b27c56e0b97a4f71b2ac2ed
Opcode Fuzzy Hash: 30612cc84018b78f48cf7f01230e89490f7eba844d435360fa553fc67054d6f2
Instruction Fuzzy Hash: B0717F31900B059FDB20DFA8DE85A6EBFF5FF48705F104918E18AA35A0E7B4E944DB50

Function 0058FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0058FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0058FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0058FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0058FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0058FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0058FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0058FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0058FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0058FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0058FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0058FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0058FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0058FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0058FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0058FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0058FECC
GetCursorInfo.USER32(?), ref: 0058FEDC
GetLastError.KERNEL32 ref: 0058FF1E

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: bf5abb4dc0c1c5e019b0050a9ba05f14132099d8eb08f8e80cf2cdbd0d21cbc3
Instruction ID: d66161c3e5ed8d12d18b654362200d09650603ace43a04255dd92a3fcf9e320b
Opcode Fuzzy Hash: bf5abb4dc0c1c5e019b0050a9ba05f14132099d8eb08f8e80cf2cdbd0d21cbc3
Instruction Fuzzy Hash: 274151B0D443196ADB109FBA8C8985EBFE8FF08354B50452AE519E7281DB78A9018F91

Function 005730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0057318D
_wcslen.LIBCMT ref: 005731F8

Strings

CLASSNN, xrefs: 005731F3, 00573204
INSTANCE, xrefs: 00573453
CLASS, xrefs: 00573188, 005731A5
REGEXPCLASS, xrefs: 00573255, 00573266
NAME, xrefs: 00573335, 00573346
[], xrefs: 0057339A
TEXT, xrefs: 0057347C

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[]
API String ID: 176396367-4125391415
Opcode ID: c85ac22828e6aa4ecbafa830eb0d43ad4ccbc1c81dd54fbe0dc067889a816da8
Instruction ID: 4fce7546877220f89ca9fbb137fdb8872f5243ea5fc453e8c3f1c017bfd1431e
Opcode Fuzzy Hash: c85ac22828e6aa4ecbafa830eb0d43ad4ccbc1c81dd54fbe0dc067889a816da8
Instruction Fuzzy Hash: FCE1E732A00516ABCF28DF78D4556EDBFB1BF44720F54C52AE45AA7240EB30AE85F790

Function 005300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005300C6

Part of subcall function 005300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(005E070C,00000FA0,67C35D53,?,?,?,?,005523B3,000000FF), ref: 0053011C
Part of subcall function 005300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005523B3,000000FF), ref: 00530127
Part of subcall function 005300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005523B3,000000FF), ref: 00530138
Part of subcall function 005300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0053014E
Part of subcall function 005300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0053015C
Part of subcall function 005300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0053016A
Part of subcall function 005300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00530195
Part of subcall function 005300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005301A0

___scrt_fastfail.LIBCMT ref: 005300E7

Part of subcall function 005300A3: __onexit.LIBCMT ref: 005300A9

Strings

InitializeConditionVariable, xrefs: 00530148
kernel32.dll, xrefs: 00530133
WakeAllConditionVariable, xrefs: 00530162
SleepConditionVariableCS, xrefs: 00530154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00530122

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 7b9d8a64aef4c36090ce989931249560b62d120c9820ec9e071151759eed3783
Instruction ID: 2b027beda6b6cd48bbc23366fbf28800fc68745221f96054de72aafd0fca023f
Opcode Fuzzy Hash: 7b9d8a64aef4c36090ce989931249560b62d120c9820ec9e071151759eed3783
Instruction Fuzzy Hash: 63212632A407116BE7256BA4BC59B2E7FE8FB56B61F00113AF801E72D1DBB09C04DB90

Function 005844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,005ACC08), ref: 00584527
_wcslen.LIBCMT ref: 0058453B
_wcslen.LIBCMT ref: 00584599
_wcslen.LIBCMT ref: 005845F4
_wcslen.LIBCMT ref: 0058463F
_wcslen.LIBCMT ref: 005846A7

Part of subcall function 0052F9F2: _wcslen.LIBCMT ref: 0052F9FD

GetDriveTypeW.KERNEL32(?,005D6BF0,00000061), ref: 00584743

Strings

all, xrefs: 00584531, 00584536
unknown, xrefs: 00584708
fixed, xrefs: 00584635, 0058463A
ramdisk, xrefs: 005846F1
removable, xrefs: 005845EA, 005845EF
cdrom, xrefs: 0058458F, 00584594
network, xrefs: 0058469D, 005846A2

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 045060e17fed9ee865c530bf999c969e4fb017f404a13b153530e7888972d2fe
Instruction ID: 52e427e6f0860e730395d9f9e12390ecf223d89397b3e5b1e8fc89aba3b4b925
Opcode Fuzzy Hash: 045060e17fed9ee865c530bf999c969e4fb017f404a13b153530e7888972d2fe
Instruction Fuzzy Hash: F2B19D316083039BC710EF28C894A6EBBE5BFA5764F50491DF896E7291E730D985CB92

Function 005A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

DragQueryPoint.SHELL32(?,?), ref: 005A9147

Part of subcall function 005A7674: ClientToScreen.USER32(?,?), ref: 005A769A
Part of subcall function 005A7674: GetWindowRect.USER32(?,?), ref: 005A7710
Part of subcall function 005A7674: PtInRect.USER32(?,?,005A8B89), ref: 005A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 005A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 005A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 005A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 005A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 005A9277
DragFinish.SHELL32(?), ref: 005A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005A9371

Strings

p#^, xrefs: 005A92BB
@GUI_DRAGFILE, xrefs: 005A9320
@GUI_DROPID, xrefs: 005A929E
@GUI_DRAGID, xrefs: 005A92E9

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#^
API String ID: 221274066-4237971630
Opcode ID: 5f30679c007cdd16b1e8693ff721ccc44b44fe8e2f45fe8d13d713b40d4e05dc
Instruction ID: b3122728a10f91d5f26426d0b86c766d0ab4d7bea99136e93a8158366580abd7
Opcode Fuzzy Hash: 5f30679c007cdd16b1e8693ff721ccc44b44fe8e2f45fe8d13d713b40d4e05dc
Instruction Fuzzy Hash: 3F613771108302AFD701DF54D889DAFBFE8FFD9750F00091AB595962A1DB309A49CB92

Function 00593FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005ACC08), ref: 005940BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 005940CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,005ACC08), ref: 005940F2
FreeLibrary.KERNEL32(00000000,?,005ACC08), ref: 0059413E
StringFromGUID2.OLE32(?,?,00000028,?,005ACC08), ref: 005941A8
SysFreeString.OLEAUT32(00000009), ref: 00594262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 005942C8
SysFreeString.OLEAUT32(?), ref: 005942F2

Strings

GetModuleHandleExW, xrefs: 005940C7
kernel32.dll, xrefs: 005940B6

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 312cf3a8598d726196b391365d5b4c8b8bbedcc036270b727b5f4fe80973994d
Instruction ID: 03789ed3542460ea0261bb51e8d3475fdb96dce5829b3155b23092bad8d09293
Opcode Fuzzy Hash: 312cf3a8598d726196b391365d5b4c8b8bbedcc036270b727b5f4fe80973994d
Instruction Fuzzy Hash: 84120975A00115AFDF14DF94C888EAEBBB5FF49318F248498E9099B251D731ED86CFA0

Function 0051326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(005E1990), ref: 00552F8D
GetMenuItemCount.USER32(005E1990), ref: 0055303D
GetCursorPos.USER32(?), ref: 00553081
SetForegroundWindow.USER32(00000000), ref: 0055308A
TrackPopupMenuEx.USER32(005E1990,00000000,?,00000000,00000000,00000000), ref: 0055309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005530A9

Strings

0, xrefs: 0051327D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 0bf0b179e99ad1848a27375bce4e52cc18e0209f0940dc1bb431f9664887faae
Instruction ID: af02a0ea856ff7407d1511b743f0a84c1853f589062e0e377b662b911064c1d2
Opcode Fuzzy Hash: 0bf0b179e99ad1848a27375bce4e52cc18e0209f0940dc1bb431f9664887faae
Instruction Fuzzy Hash: 59710C30640206BEFB259F64DC99FAABF68FF06364F204216F9256A1E0C7B1AD54D750

Function 005A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 005A6DEB

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A6E94
DestroyWindow.USER32(?), ref: 005A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00510000,00000000), ref: 005A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A6EFD
GetDesktopWindow.USER32 ref: 005A6F16
GetWindowRect.USER32(00000000), ref: 005A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005A6F4D

Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952

Strings

tooltips_class32, xrefs: 005A6E58, 005A6EDD
0, xrefs: 005A6D98

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 506a175e713a4fc56172da299d6a9a383f13efea5092c41f58e99756c52f6758
Instruction ID: 3203997087ab0fa708173287b07fd1d54867da02243f37f160fb88a70989983f
Opcode Fuzzy Hash: 506a175e713a4fc56172da299d6a9a383f13efea5092c41f58e99756c52f6758
Instruction Fuzzy Hash: 92715B74144245AFDB25CF18DC84FABBFE9FB9A304F08041DF9998B2A1C770A949DB15

Function 0058C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0058C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0058C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0058C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0058C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0058C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0058C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0058C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0058C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0058C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0058C5F0
InternetCloseHandle.WININET(00000000), ref: 0058C5FB

Strings

, xrefs: 0058C575

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0de946ff81234d531bb964b90ed3ced2c8a42ee93e6055016db4283a3cf7c6ac
Instruction ID: 2b1830867d0f22beec1514f2e3adb9b94de766b10f3f2ae826bf00e9bb3cd1cd
Opcode Fuzzy Hash: 0de946ff81234d531bb964b90ed3ced2c8a42ee93e6055016db4283a3cf7c6ac
Instruction Fuzzy Hash: 4F515DB1500205BFEB21AF64C948ABB7FFCFF19754F00441AF945A6210DB34E948AB70

Function 005A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 005A8592
GetFileSize.KERNEL32(00000000,00000000), ref: 005A85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 005A85AD
CloseHandle.KERNEL32(00000000), ref: 005A85BA
GlobalLock.KERNEL32(00000000), ref: 005A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005A85D7
GlobalUnlock.KERNEL32(00000000), ref: 005A85E0
CloseHandle.KERNEL32(00000000), ref: 005A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 005A85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,005AFC38,?), ref: 005A8611
GlobalFree.KERNEL32(00000000), ref: 005A8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 005A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 005A8671
DeleteObject.GDI32(00000000), ref: 005A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005A86AF

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c142638163b670bec78de0c767baafebf5741859c793f1e3d40871ee5266ff19
Instruction ID: 5f37d3b040e4651022a9867580da52e8007f0476a1de009eac8babf7375f861b
Opcode Fuzzy Hash: c142638163b670bec78de0c767baafebf5741859c793f1e3d40871ee5266ff19
Instruction Fuzzy Hash: 9E41E675600208BFDB119FA5DC48EAE7FB8FF9AB11F144059F905EB260DB309905DB60

Function 005814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00581502
VariantCopy.OLEAUT32(?,?), ref: 0058150B
VariantClear.OLEAUT32(?), ref: 00581517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00581657
VariantInit.OLEAUT32(?), ref: 00581708
SysFreeString.OLEAUT32(?), ref: 0058178C
VariantClear.OLEAUT32(?), ref: 005817D8
VariantClear.OLEAUT32(?), ref: 005817E7
VariantInit.OLEAUT32(00000000), ref: 00581823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00581625
Default, xrefs: 005816AF

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 9a3d38d32e5b81ba8e8486362f8bbeb01862d5c81780f4cca55b6c5f0e73332a
Instruction ID: 980ad9e6b04b45b22e0d3514e6d0f2b74c22002dd6da3711dbea11301e905e12
Opcode Fuzzy Hash: 9a3d38d32e5b81ba8e8486362f8bbeb01862d5c81780f4cca55b6c5f0e73332a
Instruction Fuzzy Hash: 4BD1E271A00916DBDB10AF65E889B7DBFB9BF86700F10846AE846BB180DB30DC46DF55

Function 0059B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0059B80A
RegCloseKey.ADVAPI32(?), ref: 0059B87E
RegCloseKey.ADVAPI32(?), ref: 0059B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0059B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0059B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0059B922
FreeLibrary.KERNEL32(00000000), ref: 0059B983
RegCloseKey.ADVAPI32(00000000), ref: 0059B994

Strings

advapi32.dll, xrefs: 0059B8ED
RegDeleteKeyExW, xrefs: 0059B8FE

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 6a1a88d45215d4979a5948132567b1484d54f2d3b5c5c73003281dc6ee59eb80
Instruction ID: 4ec804f3d070aa3baf3fd6b8bd418a48a303274b3022ac858df8b860c9b2d091
Opcode Fuzzy Hash: 6a1a88d45215d4979a5948132567b1484d54f2d3b5c5c73003281dc6ee59eb80
Instruction Fuzzy Hash: B9C17D30204202AFEB10DF14D599F6ABFE5FF84308F14855CE59A4B2A2CB75ED86CB91

Function 0059255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005925E8
CreateCompatibleDC.GDI32(?), ref: 005925F4
SelectObject.GDI32(00000000,?), ref: 00592601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0059266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005926D0
SelectObject.GDI32(?,?), ref: 005926D8
DeleteObject.GDI32(?), ref: 005926E1
DeleteDC.GDI32(?), ref: 005926E8
ReleaseDC.USER32(00000000,?), ref: 005926F3

Strings

(, xrefs: 0059268D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 1e24d5a985a67cc51925da6848fca18dfbfd742e92b5dd8da6330ac857f3c179
Instruction ID: 3c1a2fd0e8e0f01e1f23edcf63cf8a97ac779e41231635b2ac480e4f37ea9cc5
Opcode Fuzzy Hash: 1e24d5a985a67cc51925da6848fca18dfbfd742e92b5dd8da6330ac857f3c179
Instruction Fuzzy Hash: A061D275E00219EFCF05CFA8D988AAEBBF5FF58310F208529E956A7250D770A941DF90

Function 0054DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0054DAA1

Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D659
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D66B
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D67D
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D68F
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6A1
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6B3
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6C5
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6D7
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6E9
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D6FB
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D70D
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D71F
Part of subcall function 0054D63C: _free.LIBCMT ref: 0054D731

_free.LIBCMT ref: 0054DA96

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 0054DAB8
_free.LIBCMT ref: 0054DACD
_free.LIBCMT ref: 0054DAD8
_free.LIBCMT ref: 0054DAFA
_free.LIBCMT ref: 0054DB0D
_free.LIBCMT ref: 0054DB1B
_free.LIBCMT ref: 0054DB26
_free.LIBCMT ref: 0054DB5E
_free.LIBCMT ref: 0054DB65
_free.LIBCMT ref: 0054DB82
_free.LIBCMT ref: 0054DB9A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b0c72256c07c906b3235f0667140bc22fb1feb2da4bac7eba9c2409adf76b835
Instruction ID: 2d6e3b6f5a3c5c42a1fc12d99973f5fba1c2b25e96e381818fc4bf4e6d23e272
Opcode Fuzzy Hash: b0c72256c07c906b3235f0667140bc22fb1feb2da4bac7eba9c2409adf76b835
Instruction Fuzzy Hash: 28312A316046069FEB22AA3AE849BDA7FF9FF40318F55441AF449D7291DA35AC80CB30

Function 0057365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0057369C
_wcslen.LIBCMT ref: 005736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00573797
GetClassNameW.USER32(?,?,00000400), ref: 0057380C
GetDlgCtrlID.USER32(?), ref: 0057385D
GetWindowRect.USER32(?,?), ref: 00573882
GetParent.USER32(?), ref: 005738A0
ScreenToClient.USER32(00000000), ref: 005738A7
GetClassNameW.USER32(?,?,00000100), ref: 00573921
GetWindowTextW.USER32(?,?,00000400), ref: 0057395D

Strings

%s%u, xrefs: 00573734

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b091d4a713847a398f5cf6878d371f3e932a002880d4072c36217f3b55f70b25
Instruction ID: 317b7c397bd0880e0e8153a9bc3f02a8e07af5eaf326be7df6a93a3a6328cd43
Opcode Fuzzy Hash: b091d4a713847a398f5cf6878d371f3e932a002880d4072c36217f3b55f70b25
Instruction Fuzzy Hash: D991B371204617AFD718DF24D885BAABFA8FF44360F008529FA9DD2190DB30EA45EB91

Function 00574954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00574994
GetWindowTextW.USER32(?,?,00000400), ref: 005749DA
_wcslen.LIBCMT ref: 005749EB
CharUpperBuffW.USER32(?,00000000), ref: 005749F7
_wcsstr.LIBVCRUNTIME ref: 00574A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00574A64
GetWindowTextW.USER32(?,?,00000400), ref: 00574A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00574AE6
GetClassNameW.USER32(?,?,00000400), ref: 00574B20
GetWindowRect.USER32(?,?), ref: 00574B8B

Strings

ThumbnailClass, xrefs: 00574A6F, 00574AF1

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 42d577b76fd0bda4483f780d65c0f34e8e3a9897fe1e0805741d6af090705f48
Instruction ID: 6862e355f64ae1b0f7a1f9936421b4d5cbe64e2ad6600e7fc6a1b810eebfb31d
Opcode Fuzzy Hash: 42d577b76fd0bda4483f780d65c0f34e8e3a9897fe1e0805741d6af090705f48
Instruction Fuzzy Hash: D891AA310042069FDB05DF14E985BAABFE9FF84314F04846AFD899A096EB30ED45DFA1

Function 0057BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(005E1990,000000FF,00000000,00000030), ref: 0057BFAC
SetMenuItemInfoW.USER32(005E1990,00000004,00000000,00000030), ref: 0057BFE1
Sleep.KERNEL32(000001F4), ref: 0057BFF3
GetMenuItemCount.USER32(?), ref: 0057C039
GetMenuItemID.USER32(?,00000000), ref: 0057C056
GetMenuItemID.USER32(?,-00000001), ref: 0057C082
GetMenuItemID.USER32(?,?), ref: 0057C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0057C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0057C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0057C145

Strings

0, xrefs: 0057BF3D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 0f888608f2cd3f5792d72826a288ff7e39414a32446815aa229eaa86066f0a82
Instruction ID: 0d42eaf77828a8b02cc286e80f402a9392508cd0b112288fca6330b16e803765
Opcode Fuzzy Hash: 0f888608f2cd3f5792d72826a288ff7e39414a32446815aa229eaa86066f0a82
Instruction Fuzzy Hash: 8E6180B0900246AFDF15CF64EC8CAEE7FA8FB45344F408469F859A7291D735AD05EBA0

Function 0059CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0059CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0059CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0059CD48

Part of subcall function 0059CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0059CCAA
Part of subcall function 0059CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0059CCBD
Part of subcall function 0059CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0059CCCF
Part of subcall function 0059CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0059CD05
Part of subcall function 0059CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0059CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0059CCF3

Strings

advapi32.dll, xrefs: 0059CCB8
RegDeleteKeyExW, xrefs: 0059CCC9

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: a64dd6b452da4cc87a53810dfd57076986f40d08d64c7ba6537ffcaba2ffda7f
Instruction ID: 76449b2b1065bb2c4135b0473957e9dec6189acc7770e4949f094441577c5f4f
Opcode Fuzzy Hash: a64dd6b452da4cc87a53810dfd57076986f40d08d64c7ba6537ffcaba2ffda7f
Instruction Fuzzy Hash: 94316E71A41229BBDB208B54DC88EFFBFBCFF56750F000165E905E6240DB349E49EAA0

Function 00583D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00583D40
_wcslen.LIBCMT ref: 00583D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00583D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00583DBE
RemoveDirectoryW.KERNEL32(?), ref: 00583DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00583E55
CloseHandle.KERNEL32(00000000), ref: 00583E60
CloseHandle.KERNEL32(00000000), ref: 00583E6B

Strings

\??\%s, xrefs: 00583D5B
:, xrefs: 00583D82
\, xrefs: 00583D77

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: c9c863edca603b7c2968325ee53bb6d66d8035e646f3831242a5d39890c550c9
Instruction ID: 9c2d64e5f8216587f0489e833cde29f80c4912b085c2dabc9663322792831530
Opcode Fuzzy Hash: c9c863edca603b7c2968325ee53bb6d66d8035e646f3831242a5d39890c550c9
Instruction Fuzzy Hash: 7D31967550011A6BDB21ABA0DC49FEF3BBCFF89B40F1041B6F905E6150EB7497458B24

Function 0057E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0057E6B4

Part of subcall function 0052E551: timeGetTime.WINMM(?,?,0057E6D4), ref: 0052E555

Sleep.KERNEL32(0000000A), ref: 0057E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0057E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0057E727
SetActiveWindow.USER32 ref: 0057E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0057E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0057E773
Sleep.KERNEL32(000000FA), ref: 0057E77E
IsWindow.USER32 ref: 0057E78A
EndDialog.USER32(00000000), ref: 0057E79B

Strings

BUTTON, xrefs: 0057E719

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a494808b6dc206de66f1f48140752f687c2c423c56e22be94da2a861d6eeeb14
Instruction ID: f073b9751afbd4aa994e19799cc77203efcd0e95fc8a64b490d8719a6423eb07
Opcode Fuzzy Hash: a494808b6dc206de66f1f48140752f687c2c423c56e22be94da2a861d6eeeb14
Instruction Fuzzy Hash: 4B2162B0200385AFEF045F25FCCAA253F6DF77A349F108465F549861A5DFB1AC08BA24

Function 0057E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0057EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0057EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0057EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0057EAA7

Strings

close PlayMe, xrefs: 0057EA6E, 0057EA9B
alias PlayMe, xrefs: 0057EA36
status PlayMe mode, xrefs: 0057EA58
open , xrefs: 0057EA0C
play PlayMe, xrefs: 0057EAA2
play PlayMe wait, xrefs: 0057EA91

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 61a8cefd10ec93d11d4f7b626158cb2532e02c0f54a0e6227855c869ed93631e
Instruction ID: b23c9614e526a7b91241434ed60e74c863b90059a5dfcc7ebf550558c172c401
Opcode Fuzzy Hash: 61a8cefd10ec93d11d4f7b626158cb2532e02c0f54a0e6227855c869ed93631e
Instruction Fuzzy Hash: C2115131A5021A79E720A7A5DC5FDFF6F7CFBD5B40F00082BB811A21D1EA701946D9B1

Function 00575CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00575CE2
GetWindowRect.USER32(00000000,?), ref: 00575CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00575D59
GetDlgItem.USER32(?,00000002), ref: 00575D69
GetWindowRect.USER32(00000000,?), ref: 00575D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00575DCF
GetDlgItem.USER32(?,000003E9), ref: 00575DDD
GetWindowRect.USER32(00000000,?), ref: 00575DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00575E31
GetDlgItem.USER32(?,000003EA), ref: 00575E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00575E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00575E67

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: df01c4290a76ff926ad615a713a8996397b6e8ad68142963d5adad664806d083
Instruction ID: 107baca27bcc17ec47cf771bdebb0b3bdca4a7a8fb2cf8d1ceb04834e20c185c
Opcode Fuzzy Hash: df01c4290a76ff926ad615a713a8996397b6e8ad68142963d5adad664806d083
Instruction Fuzzy Hash: 7F51FF71A00615AFDB18CF68DD89AAE7FB9FB58300F548129F91AE7290E7709E04DB50

Function 00528BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00528F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00528BE8,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 00528FC5

DestroyWindow.USER32(?), ref: 00528C81
KillTimer.USER32(00000000,?,?,?,?,00528BBA,00000000,?), ref: 00528D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00566973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 005669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00528BBA,00000000,?), ref: 005669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00528BBA,00000000), ref: 005669D4
DeleteObject.GDI32(00000000), ref: 005669E6

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f24463815d56d80adb4a558604b0bac160634a9bf37ff793da9c8934840065d8
Instruction ID: 30d0a4b81ba2f000b36e6c4fb785cd3ddd457784389474be67a17238baca1d2b
Opcode Fuzzy Hash: f24463815d56d80adb4a558604b0bac160634a9bf37ff793da9c8934840065d8
Instruction Fuzzy Hash: 45618031502B61DFDB259F54EA487397FF1FF62312F144918E082AB5A0CB35AC98EB54

Function 00529838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00529944: GetWindowLongW.USER32(?,000000EB), ref: 00529952

GetSysColor.USER32(0000000F), ref: 00529862

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d9ff70b674d20776c70e0103e6a8df3a9f10bd990e5cc0271dfdb4b142fa2434
Instruction ID: 4cb9e7f3d078a931fe476a7b2be02545f5e048aca7da1330e3f638e743243659
Opcode Fuzzy Hash: d9ff70b674d20776c70e0103e6a8df3a9f10bd990e5cc0271dfdb4b142fa2434
Instruction Fuzzy Hash: DD41AF31504654AFDB245F38AC88BB93FA5BF27330F184655F9A28B2E2D7319846EB10

Function 00548D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.S, xrefs: 0054903A, 00548FD0, 00548FF2

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: .S
API String ID: 0-1539595904
Opcode ID: 83cfbe8ef4a7bb93c42022b16b1ab8dcbdf33025e2dd58a36ebce130103574f2
Instruction ID: 4df9f2ad0d55cb23b9e7b728096982678500be7613d02536fa81326fd622d9b8
Opcode Fuzzy Hash: 83cfbe8ef4a7bb93c42022b16b1ab8dcbdf33025e2dd58a36ebce130103574f2
Instruction Fuzzy Hash: ABC1E174D04249AFDB15DFA8D84ABEEBFB0BF59318F044099F418AB392C7709941CB61

Function 005796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0055F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00579717
LoadStringW.USER32(00000000,?,0055F7F8,00000001), ref: 00579720

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0055F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00579742
LoadStringW.USER32(00000000,?,0055F7F8,00000001), ref: 00579745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00579866

Strings

Line %d (File "%s"):, xrefs: 0057978F
Error: , xrefs: 0057981D
%s (%d) : ==> %s: %s %s, xrefs: 0057984A
^ ERROR, xrefs: 005797FB
Line %d:, xrefs: 005797A0

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: af6b7b827216762ec88a924427d34ffe46f42bc3cdc9ffdd9ec789559f132d71
Instruction ID: 80cc43e4dae3be0c9425749b8b5899d28683a7dc2cdb02409d0af7afc2769872
Opcode Fuzzy Hash: af6b7b827216762ec88a924427d34ffe46f42bc3cdc9ffdd9ec789559f132d71
Instruction Fuzzy Hash: 7541207280021AAADF14EBE0DD9ADEE7B78BF95340F104425F60572092EB356F89DB71

Function 005706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00570804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0057082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00570837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0057083C

Strings

SOFTWARE\Classes\, xrefs: 0057070E
\CLSID, xrefs: 00570724
\IPC$, xrefs: 00570784

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: c301f0c6cb9751d543b5ef0558e464e761b8ca576a4731dfaf54e9aebf7531cc
Instruction ID: 24b33ed58f2f657a203f1727a9fedcb3e013658d3200f73d438afd1070e70d02
Opcode Fuzzy Hash: c301f0c6cb9751d543b5ef0558e464e761b8ca576a4731dfaf54e9aebf7531cc
Instruction Fuzzy Hash: F9411A71C10229EBDF15EFA4DC998EDBBB8FF54350F144526E905A31A1EB30AE44DB90

Function 00593C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00593C5C
CoInitialize.OLE32(00000000), ref: 00593C8A
CoUninitialize.OLE32 ref: 00593C94
_wcslen.LIBCMT ref: 00593D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00593DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00593ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00593F0E
CoGetObject.OLE32(?,00000000,005AFB98,?), ref: 00593F2D
SetErrorMode.KERNEL32(00000000), ref: 00593F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00593FC4
VariantClear.OLEAUT32(?), ref: 00593FD8

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: cf7ae2bac5c9028cb49224f752ac1cdec4d35337ed0afd721d9f73fa068da959
Instruction ID: 2ab23bee25734d39621ab944db3876b769ad1d3830e7beafb1ce5e955c1a112f
Opcode Fuzzy Hash: cf7ae2bac5c9028cb49224f752ac1cdec4d35337ed0afd721d9f73fa068da959
Instruction Fuzzy Hash: E3C10171608305EFDB00DF68C88492ABBE9FF89744F14491DF98A9B250DB31EE45CB52

Function 00587A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00587AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00587B8F
SHGetDesktopFolder.SHELL32(?), ref: 00587BA3
CoCreateInstance.OLE32(005AFD08,00000000,00000001,005D6E6C,?), ref: 00587BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00587C74
CoTaskMemFree.OLE32(?,?), ref: 00587CCC
SHBrowseForFolderW.SHELL32(?), ref: 00587D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00587D7A
CoTaskMemFree.OLE32(00000000), ref: 00587D81
CoTaskMemFree.OLE32(00000000), ref: 00587DD6
CoUninitialize.OLE32 ref: 00587DDC

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: ef0993f72be85da02e4b8527e18a1de93ef582aaae3c1ea953ac539c6ad92c24
Instruction ID: e0eb0b44b998ba408dac48f68a003ae90e1cc16954d485a252e6de2c1b545eeb
Opcode Fuzzy Hash: ef0993f72be85da02e4b8527e18a1de93ef582aaae3c1ea953ac539c6ad92c24
Instruction Fuzzy Hash: 1DC10B75A04109AFDB14DFA4C888DAEBFF9FF48304B148499E819AB361D731EE45CB90

Function 005A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A5515
CharNextW.USER32(00000158), ref: 005A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A55AC

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: d5886003ec15155a33efa9b38eafa08cfe157a35db590d3bee6c0fb55c518d32
Instruction ID: ea8e2b4be976ada3c33e14a844faf45e9a5f019e2946aaab4e145fcb64cc028e
Opcode Fuzzy Hash: d5886003ec15155a33efa9b38eafa08cfe157a35db590d3bee6c0fb55c518d32
Instruction Fuzzy Hash: D7615931904609EFDF119F64CC84EBE7FB9FB1A720F104545FA25AB290E7748A84DB60

Function 0056FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0056FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0056FB08
VariantInit.OLEAUT32(?), ref: 0056FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0056FB3A
VariantCopy.OLEAUT32(?,?), ref: 0056FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0056FBA1
VariantClear.OLEAUT32(?), ref: 0056FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0056FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0056FBCC
VariantClear.OLEAUT32(?), ref: 0056FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0056FBE9

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9356f6dfa460259c161621eaeb9fb15b02d14413d0e097da0380477a65ed9a83
Instruction ID: 052c8d2941b85b41d45c82aff44a66275088f8fcaffea0f8c130a4442233d49e
Opcode Fuzzy Hash: 9356f6dfa460259c161621eaeb9fb15b02d14413d0e097da0380477a65ed9a83
Instruction Fuzzy Hash: B4415F35E002199FCF00DFA4D8589AEBFB9FF59345F008069E906A7261DB70A945DBA0

Function 00579C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00579CA1
GetAsyncKeyState.USER32(000000A0), ref: 00579D22
GetKeyState.USER32(000000A0), ref: 00579D3D
GetAsyncKeyState.USER32(000000A1), ref: 00579D57
GetKeyState.USER32(000000A1), ref: 00579D6C
GetAsyncKeyState.USER32(00000011), ref: 00579D84
GetKeyState.USER32(00000011), ref: 00579D96
GetAsyncKeyState.USER32(00000012), ref: 00579DAE
GetKeyState.USER32(00000012), ref: 00579DC0
GetAsyncKeyState.USER32(0000005B), ref: 00579DD8
GetKeyState.USER32(0000005B), ref: 00579DEA

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8f6b53878ed8cd5fe1f2804be95c920d8f962817de2d43954889e4c7bc82ad7e
Instruction ID: 685d34758f6ca7475cc448b13190a1fd413ce8ef14e5e60e09656be6af4b914b
Opcode Fuzzy Hash: 8f6b53878ed8cd5fe1f2804be95c920d8f962817de2d43954889e4c7bc82ad7e
Instruction Fuzzy Hash: 1941EB345047C96DFF318764A4043B5BEA47F22344F08C05ADACA575C2EBA49DC8E7B2

Function 0059055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005905BC
inet_addr.WSOCK32(?), ref: 0059061C
gethostbyname.WSOCK32(?), ref: 00590628
IcmpCreateFile.IPHLPAPI ref: 00590636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 005907B9
WSACleanup.WSOCK32 ref: 005907BF

Strings

Ping, xrefs: 00590676

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 57ea9d76adbd8cda1ff371c8025f5f70ecf49bf71473f5d630757a9f3533eb26
Instruction ID: 9f814ae3ae2f078b379af0feebdecb90875333d50973ea182e424a9ce42a4572
Opcode Fuzzy Hash: 57ea9d76adbd8cda1ff371c8025f5f70ecf49bf71473f5d630757a9f3533eb26
Instruction Fuzzy Hash: F5916C356042019FDB20DF15D488B1ABFE4FF85328F1599A9E4698B6A2C730FD85CF91

Function 00598CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00598CF3

Part of subcall function 00578E54: _wcslen.LIBCMT ref: 00578E77

_wcslen.LIBCMT ref: 00598D4E
_wcslen.LIBCMT ref: 00598D9C
_wcslen.LIBCMT ref: 00598DDC
_wcslen.LIBCMT ref: 00598E6E

Strings

cdecl, xrefs: 00598D48, 00598D4D
winapi, xrefs: 00598D96, 00598D9B
none, xrefs: 00598E65, 00598E6A
stdcall, xrefs: 00598DD6, 00598DDB

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 9bf8d05e32af8baac46059f62ffa2f4972ba75bb22e3154c9535cd29a3a4b901
Instruction ID: a53a5601b67f748e7e8b52716f4967f956f04f3a7f262ffda55c86cccd0f5692
Opcode Fuzzy Hash: 9bf8d05e32af8baac46059f62ffa2f4972ba75bb22e3154c9535cd29a3a4b901
Instruction Fuzzy Hash: AC519431A001179BCF24DF6CC9509BEBBA5BF66720B244629E426E73C4DB35DD40C790

Function 0059372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00593774
CoUninitialize.OLE32 ref: 0059377F
CoCreateInstance.OLE32(?,00000000,00000017,005AFB78,?), ref: 005937D9
IIDFromString.OLE32(?,?), ref: 0059384C
VariantInit.OLEAUT32(?), ref: 005938E4
VariantClear.OLEAUT32(?), ref: 00593936

Strings

NULL Pointer assignment, xrefs: 0059381E
Invalid parameter, xrefs: 00593865
Failed to create object, xrefs: 005937E4, 0059389A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: c55db850f75ac87a2f66fc61aae2700cba9ce81ecf80317b74ef240c099ae4d2
Instruction ID: 21e47184bd8155c0ce31768e3ffbbb48a829bf99ac12fd1f2fd0b081e013da92
Opcode Fuzzy Hash: c55db850f75ac87a2f66fc61aae2700cba9ce81ecf80317b74ef240c099ae4d2
Instruction Fuzzy Hash: EB617971608202EFDB10DF54D889B6ABFE8FF89710F004819F9859B291D770EE49CB92

Function 00583388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005833CF

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005833F0

Strings

Line %d (File "%s"):, xrefs: 00583443, 0058345C
Error: , xrefs: 005834D1
Incorrect parameters to object property !, xrefs: 005834AB
^ ERROR , xrefs: 0058349E
"%s" (%d) : ==> %s:, xrefs: 00583522
"%s" (%d) : ==> %s:%s%s, xrefs: 00583504

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 2c5b753b663f0a139c51f28c0c28e159c0975d32c3bfecdbbcecb43d0f98862c
Instruction ID: b97928cbf6668750fe2cbab7faf2d9bd8b255a27dcb82d62a7769dcb87649bd9
Opcode Fuzzy Hash: 2c5b753b663f0a139c51f28c0c28e159c0975d32c3bfecdbbcecb43d0f98862c
Instruction Fuzzy Hash: EE51B37180020ABAEF15EBA0DD5AEEEBF78BF54740F104466F50572161EB312F98DB60

Function 0057B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0057B5FC
_wcslen.LIBCMT ref: 0057B608
_wcslen.LIBCMT ref: 0057B64D
_wcslen.LIBCMT ref: 0057B68C
_wcslen.LIBCMT ref: 0057B6C7

Strings

APPEND, xrefs: 0057B6C1, 0057B6C6
KEYS, xrefs: 0057B647, 0057B64C
REMOVE, xrefs: 0057B602, 0057B607
EXISTS, xrefs: 0057B686, 0057B68B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 6c34b784d65c3a51936ad62e978f5782042e8d66e6090e8b84198591dbbcaad6
Instruction ID: 9d3d8b958fce7c9f6bb1e33cf411d7d3e757fb5e8f625136b9ba80c7532fa462
Opcode Fuzzy Hash: 6c34b784d65c3a51936ad62e978f5782042e8d66e6090e8b84198591dbbcaad6
Instruction Fuzzy Hash: 2C41FD72A000279BDB205F7DD8906BE7FB5FFA0754B24812AE629D7284E735CD81D790

Function 00585393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00585416
GetLastError.KERNEL32 ref: 00585420
SetErrorMode.KERNEL32(00000000,READY), ref: 005854A7

Strings

UNKNOWN, xrefs: 00585444
INVALID, xrefs: 00585459
READONLY, xrefs: 00585452
READY, xrefs: 00585460, 00585468
NOTREADY, xrefs: 0058544B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4ac313710d03adff532ea9e41e96507077347536d5ad7b03e5072371345dc921
Instruction ID: bbbc0acc88e2e69d1789eae54116aef7bc10f5fac25d6c84168142adee5899ab
Opcode Fuzzy Hash: 4ac313710d03adff532ea9e41e96507077347536d5ad7b03e5072371345dc921
Instruction Fuzzy Hash: B4318F35A006059FDB10EF68C488AAA7FF4FF45305F548066E805EB3A2EB71DD86CB90

Function 005A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 005A3C79
SetMenu.USER32(?,00000000), ref: 005A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005A3D10
IsMenu.USER32(?), ref: 005A3D24
CreatePopupMenu.USER32 ref: 005A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005A3D5B
DrawMenuBar.USER32 ref: 005A3D63

Strings

0, xrefs: 005A3C54
F, xrefs: 005A3D4E

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 0d2f37f1e57237b641743da74e3f7dc7c0f261496fcb4c8271f0836d73c1a862
Instruction ID: 27a32d64678b2d3c73eb1829b21462897e1da032068909cd2280e2de5c407997
Opcode Fuzzy Hash: 0d2f37f1e57237b641743da74e3f7dc7c0f261496fcb4c8271f0836d73c1a862
Instruction Fuzzy Hash: 18416879A01209EFDB14CF64D884AAE7FB5FF5A354F140029F946A7360D730AA14DB94

Function 00571EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00571F64
GetDlgCtrlID.USER32 ref: 00571F6F
GetParent.USER32 ref: 00571F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00571F8E
GetDlgCtrlID.USER32(?), ref: 00571F97
GetParent.USER32(?), ref: 00571FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00571FAE

Strings

ListBox, xrefs: 00571F21
ComboBox, xrefs: 00571EEC

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 6988849035dfbdd36d139ad445dcf7a536a518007fcf593bf0dced547869c3c8
Instruction ID: a48eb5abc76949db3d1615c25b98a0889183bc080912d25388fa365ffbb7892b
Opcode Fuzzy Hash: 6988849035dfbdd36d139ad445dcf7a536a518007fcf593bf0dced547869c3c8
Instruction Fuzzy Hash: 0421D070900214BBDF11EFA8DC89DEEBFB8BF56350F004116F9656B291DB344908EB60

Function 00571FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00572043
GetDlgCtrlID.USER32 ref: 0057204E
GetParent.USER32 ref: 0057206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0057206D
GetDlgCtrlID.USER32(?), ref: 00572076
GetParent.USER32(?), ref: 0057208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0057208D

Strings

ListBox, xrefs: 00572002
ComboBox, xrefs: 00571FCD

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: a6c9aca4f10ac45b3761e12970c75b2eb348c03fa41b191422d441615f6e1d70
Instruction ID: 86fe38d3784bab02a1d1d80e9a7d5d2409d65192834e0970f793663afd086e34
Opcode Fuzzy Hash: a6c9aca4f10ac45b3761e12970c75b2eb348c03fa41b191422d441615f6e1d70
Instruction Fuzzy Hash: 7621CF71900214BBDF10EFA4DC89EEEBFB8BF15340F004416B996AB2A1DA754958EB60

Function 005A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 005A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 005A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 005A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 005A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 005A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005A3C13

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 6a121adec603426d56cb2149658e46ed74cc961d9af572a72530947eae12d603
Instruction ID: 54982ee2cc5b44355717b08d8d85a7a00505cbc00a454a5e6c79052ab5caf453
Opcode Fuzzy Hash: 6a121adec603426d56cb2149658e46ed74cc961d9af572a72530947eae12d603
Instruction Fuzzy Hash: D5615975900248AFDB10DFA8CC81EEE7BF8BF4A714F100099FA15AB291C770AE45DB60

Function 0057B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0057B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B165
GetWindowThreadProcessId.USER32(00000000), ref: 0057B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0057B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0057A1E1,?,00000001), ref: 0057B21D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 15b1861ebdf8dcdd26e909d5e305a6190dc6f59cde9608180d4cd08a9552c0f0
Instruction ID: a050517342d5caed08633f028526d7c7b1b44c480fee28fff55d126ac75abfec
Opcode Fuzzy Hash: 15b1861ebdf8dcdd26e909d5e305a6190dc6f59cde9608180d4cd08a9552c0f0
Instruction Fuzzy Hash: 72318C75510208AFEB149F24EC8CB6D7FA9BB61311F108455FA09DB191E7B49E48AF60

Function 00542C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00542C94

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 00542CA0
_free.LIBCMT ref: 00542CAB
_free.LIBCMT ref: 00542CB6
_free.LIBCMT ref: 00542CC1
_free.LIBCMT ref: 00542CCC
_free.LIBCMT ref: 00542CD7
_free.LIBCMT ref: 00542CE2
_free.LIBCMT ref: 00542CED
_free.LIBCMT ref: 00542CFB

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e5bdf43cff454d800f453543dcaf201535a61eb7e43b7195bcc3728197a0cb6d
Instruction ID: f2b647019b5027eac990fe8d3f060b4f816d861e06b3150a55d4c80a2b105c10
Opcode Fuzzy Hash: e5bdf43cff454d800f453543dcaf201535a61eb7e43b7195bcc3728197a0cb6d
Instruction Fuzzy Hash: DF11C076100119AFDB02EF95D886CDD3FB9FF45354F9144A0FA489B222DA31EE909B90

Function 00587DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00587FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00587FC1
GetFileAttributesW.KERNEL32(?), ref: 00587FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00588005
SetCurrentDirectoryW.KERNEL32(?), ref: 00588017
SetCurrentDirectoryW.KERNEL32(?), ref: 00588060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005880B0

Strings

*.*, xrefs: 00588066

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 9a0e5fb5a9e78eb493b66398a5808f62e9e483d66d19b361993f78d6c71b18f5
Instruction ID: 726c6ec4c52bc6c92eed617e448c41a757dd9d9d81981cf118759105984ed499
Opcode Fuzzy Hash: 9a0e5fb5a9e78eb493b66398a5808f62e9e483d66d19b361993f78d6c71b18f5
Instruction Fuzzy Hash: 9A81A3725082059BDB20FF64C4489BABBE8BF89310F644C5AFC85E7250EB35DD49CB52

Function 00515BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00515C7A

Part of subcall function 00515D0A: GetClientRect.USER32(?,?), ref: 00515D30
Part of subcall function 00515D0A: GetWindowRect.USER32(?,?), ref: 00515D71
Part of subcall function 00515D0A: ScreenToClient.USER32(?,?), ref: 00515D99

GetDC.USER32 ref: 005546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00554708
SelectObject.GDI32(00000000,00000000), ref: 00554716
SelectObject.GDI32(00000000,00000000), ref: 0055472B
ReleaseDC.USER32(?,00000000), ref: 00554733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005547C4

Strings

U, xrefs: 00554693

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 606f041d2381b20eb5b647d1b542239d452e97a4a0ec60724ef10875ce4f5126
Instruction ID: 6a7442baf897b7f100ead10c7b58d3ad4d9cbc5dbde225e092372e4ab66aa7f3
Opcode Fuzzy Hash: 606f041d2381b20eb5b647d1b542239d452e97a4a0ec60724ef10875ce4f5126
Instruction Fuzzy Hash: 1671DF34400205DFCF258F64C998AEA3FB5FF8A31AF14426AED555A266D7309CCADF50

Function 0058359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005835E4

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

LoadStringW.USER32(005E2390,?,00000FFF,?), ref: 0058360A

Strings

Line %d (File "%s"):, xrefs: 0058366B
Error: , xrefs: 005836EF
"%s" (%d) : ==> %s:, xrefs: 00583742
"%s" (%d) : ==> %s:%s%s, xrefs: 00583724
^ ERROR, xrefs: 005836C9

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: f740b3057fc6fac08b1663d068b5317b56afb3e53c0ca98e25f1983bee0a3a34
Instruction ID: 01a258eaff1156b73ec1966dd901fbecae17bf0f3fcd8015bee7ecbafa8b6670
Opcode Fuzzy Hash: f740b3057fc6fac08b1663d068b5317b56afb3e53c0ca98e25f1983bee0a3a34
Instruction Fuzzy Hash: 0C516B7180020ABAEF14EBA0DC9AEEDBF38FF54700F144525F515721A1EB306B99DBA0

Function 0058C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0058C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0058C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0058C2CA
GetLastError.KERNEL32 ref: 0058C322
SetEvent.KERNEL32(?), ref: 0058C336
InternetCloseHandle.WININET(00000000), ref: 0058C341

Strings

, xrefs: 0058C2BB

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 98d7d3055c148619287e8690006587210a279fd393ab516df3775419a9338fdd
Instruction ID: 7790a83be29ec81c6077cf97ffaada539440bc72bc764fc059f9443af2f9ae57
Opcode Fuzzy Hash: 98d7d3055c148619287e8690006587210a279fd393ab516df3775419a9338fdd
Instruction Fuzzy Hash: 64317FB1500604AFD721AF649C88AAB7FFCFB59744F10891EF886A2240DB34DD099B70

Function 0057989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00553AAF,?,?,Bad directive syntax error,005ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005798BC
LoadStringW.USER32(00000000,?,00553AAF,?), ref: 005798C3

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00579987

Strings

Line %d (File "%s"):, xrefs: 0057992D
Error: , xrefs: 00579955
Line %d:, xrefs: 00579912
%s (%d) : ==> %s.: %s %s, xrefs: 005798F1
., xrefs: 0057996D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: cf11680bd29c287107490eb45fe4780d5aca51db3f22cd620debb7e661b1d1b6
Instruction ID: 3543e181bf1943ab2dec9d3879c9b890ed7313b46a79ed3319eb8e9b89e6397c
Opcode Fuzzy Hash: cf11680bd29c287107490eb45fe4780d5aca51db3f22cd620debb7e661b1d1b6
Instruction Fuzzy Hash: 3D21943180021BBBDF11AF90DC5AEED7F75FF54300F044826F519620A1EB71AA58EB60

Function 0057209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0057214D

Strings

largeicons, xrefs: 005720E1
list, xrefs: 0057212F
SHELLDLL_DefView, xrefs: 005720CC
smallicons, xrefs: 00572115
details, xrefs: 005720FB

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: e8a184e5a12ad1e1daeace80f8dfb6591ca979f161a6249e322417ef7e8af23c
Instruction ID: e24e2ee8d6ef4f15f5b1a9a8917e5d0e8b7af0ecbfbba80c76c1da46cb71f507
Opcode Fuzzy Hash: e8a184e5a12ad1e1daeace80f8dfb6591ca979f161a6249e322417ef7e8af23c
Instruction Fuzzy Hash: 9C11597A288307BAF6116229FC0BDA63F9CFB15324F20401BFB09A50D1FE716841BA14

Function 0054CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0054CEB7
_free.LIBCMT ref: 0054CF22
_free.LIBCMT ref: 0054CF48
_free.LIBCMT ref: 0054CF71
_free.LIBCMT ref: 0054CFA9
_free.LIBCMT ref: 0054CFDA
_free.LIBCMT ref: 0054D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0054D09C
_free.LIBCMT ref: 0054D0B5

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: bbb58e7c0c477021772fb002c53c5e0ac1557e45dd50c393c8a633f0fc5189c7
Instruction ID: 0c4c8da63d30988a50988f37c33bf85e18892c3feaad86dce66b3f4f2a063d49
Opcode Fuzzy Hash: bbb58e7c0c477021772fb002c53c5e0ac1557e45dd50c393c8a633f0fc5189c7
Instruction Fuzzy Hash: FF618771905312BFDB25AFB49C89AEE7FA5FF81318F04016DF9449B282EB359C489760

Function 005A50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 005A5186
ShowWindow.USER32(?,00000000), ref: 005A51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 005A51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 005A51D1

Part of subcall function 005A6FBA: DeleteObject.GDI32(00000000), ref: 005A6FE6

GetWindowLongW.USER32(?,000000F0), ref: 005A520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005A524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 005A5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 005A5296

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: af91222d32c97ee58d4a0023129f4cb45ae7f0fa1f0a1f341734ad401d6bbe70
Instruction ID: fe7235efff2c23d5327d5b586f3a8d11d5ceac297eb2c576746703b80b7ff7a7
Opcode Fuzzy Hash: af91222d32c97ee58d4a0023129f4cb45ae7f0fa1f0a1f341734ad401d6bbe70
Instruction Fuzzy Hash: 9B517A34A40A09AEEF249F24DC4AFEC3FA5FF57321F144011F6559A2E1E775A984EB40

Function 00528B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00566890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00528874,00000000,00000000,00000000,000000FF,00000000), ref: 00566901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0056691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00528874,00000000,00000000,00000000,000000FF,00000000), ref: 0056692D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 66e45f2eea7abb2dca242a926c55c8933cb1b674fe93f8eb8f41bae400671fa7
Instruction ID: 5e0b6f25aa68993db56f952f6c905eec3b766dfcd013a009b4c7cdb023e2328e
Opcode Fuzzy Hash: 66e45f2eea7abb2dca242a926c55c8933cb1b674fe93f8eb8f41bae400671fa7
Instruction Fuzzy Hash: B2519570A00609AFDB20CF64DC95BAA3FB5FF9A710F104518F9529B2E0DB70E990EB40

Function 0058C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0058C182
GetLastError.KERNEL32 ref: 0058C195
SetEvent.KERNEL32(?), ref: 0058C1A9

Part of subcall function 0058C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0058C272
Part of subcall function 0058C253: GetLastError.KERNEL32 ref: 0058C322
Part of subcall function 0058C253: SetEvent.KERNEL32(?), ref: 0058C336
Part of subcall function 0058C253: InternetCloseHandle.WININET(00000000), ref: 0058C341

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cfdfb2378b12210eccc5a6195d0abf4f229cbddccc759d77990079f3f2e33ecd
Instruction ID: ef4ebc6702325274392a1a6c707f3af78ee6a66c85632095370511702284238e
Opcode Fuzzy Hash: cfdfb2378b12210eccc5a6195d0abf4f229cbddccc759d77990079f3f2e33ecd
Instruction Fuzzy Hash: 46318075200601AFDB21AFB5DC48A66BFF9FF69300B00441DF997A2650DB31E814EB70

Function 005725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00573A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00573A57
Part of subcall function 00573A3D: GetCurrentThreadId.KERNEL32 ref: 00573A5E
Part of subcall function 00573A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005725B3), ref: 00573A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00572601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00572605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0057260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00572623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00572627

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e960b58145b9f48b7a03b2e116e9c117e650d9a739f5235b9cb96ab3c7203277
Instruction ID: 6c4d37684ed6d9e3cd017629e0a6cd174e5f0399fcc14a979a4e7f699d898d2d
Opcode Fuzzy Hash: e960b58145b9f48b7a03b2e116e9c117e650d9a739f5235b9cb96ab3c7203277
Instruction Fuzzy Hash: 6E01D431390210BBFB1067699C8EF593F59EB9EB12F104001F318AF0D1C9E22449EA69

Function 00571803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00571449,?,?,00000000), ref: 0057180C
HeapAlloc.KERNEL32(00000000,?,00571449,?,?,00000000), ref: 00571813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00571449,?,?,00000000), ref: 00571828
GetCurrentProcess.KERNEL32(?,00000000,?,00571449,?,?,00000000), ref: 00571830
DuplicateHandle.KERNEL32(00000000,?,00571449,?,?,00000000), ref: 00571833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00571449,?,?,00000000), ref: 00571843
GetCurrentProcess.KERNEL32(00571449,00000000,?,00571449,?,?,00000000), ref: 0057184B
DuplicateHandle.KERNEL32(00000000,?,00571449,?,?,00000000), ref: 0057184E
CreateThread.KERNEL32(00000000,00000000,00571874,00000000,00000000,00000000), ref: 00571868

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 09e8468a245220e03fdfcd945d78faa8b3f697f1e8659289c2849273603031c6
Instruction ID: 46fec11f13f0ccf2d9f6bbdd5053c8cba2646cac1bf36057acf69a3238f3dc8e
Opcode Fuzzy Hash: 09e8468a245220e03fdfcd945d78faa8b3f697f1e8659289c2849273603031c6
Instruction Fuzzy Hash: 5701BBB5340308BFE710ABA5DC4DF6B3FACEB9AB11F008411FA05DB1A1DA709804DB20

Function 00543E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00543F0B
__alldvrm.LIBCMT ref: 0054410C
__alldvrm.LIBCMT ref: 0054412E

Strings

}}S, xrefs: 00543E8A
}}S, xrefs: 005440CD
}}S, xrefs: 00543E96, 00543EF1, 00543F0A, 00544090

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}S$}}S$}}S
API String ID: 1036877536-895446879
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 1f58a2e901280b91e106e65eba6a01f1f909075f1f2f293f49a04c21a9fdcb07
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 8DA13671D407869FEB25CE18C8957EEBFF4FF61358F18416EE5859B282C2388985CB50

Function 0059A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0057D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0057D501
Part of subcall function 0057D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0057D50F
Part of subcall function 0057D4DC: CloseHandle.KERNELBASE(00000000), ref: 0057D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0059A16D
GetLastError.KERNEL32 ref: 0059A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0059A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0059A268
GetLastError.KERNEL32(00000000), ref: 0059A273
CloseHandle.KERNEL32(00000000), ref: 0059A2C4

Strings

SeDebugPrivilege, xrefs: 0059A18F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: da3ba646be0e545e3d66cd61f8e36c9710ed2ba4b790b89caa0407dddb526da4
Instruction ID: e0704fa6ca13c87619b056634e1cb1450a27cccd01a9f3c3f23e821b2de89b9e
Opcode Fuzzy Hash: da3ba646be0e545e3d66cd61f8e36c9710ed2ba4b790b89caa0407dddb526da4
Instruction Fuzzy Hash: 5D615E342042429FEB10DF18C498F55BFA1BF94318F14849CE4664B7A2C776ED45CBD2

Function 005A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005A3954
_wcslen.LIBCMT ref: 005A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 005A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005A39F4

Strings

SysListView32, xrefs: 005A38F7

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: f01334a2a6e1618b05379d73bd6a9e98ff72a4ae3d3d6b655d43d670c74be508
Instruction ID: a1f9f8aba6b8e4cb58b309b81d8268a2f0420fcd9578ca1bfad196a03ca267d3
Opcode Fuzzy Hash: f01334a2a6e1618b05379d73bd6a9e98ff72a4ae3d3d6b655d43d670c74be508
Instruction Fuzzy Hash: A641D071A00219ABEB21DF64CC49BEE7FA9FF49354F100526F948E7281D7B49E84CB90

Function 0057BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0057BCFD
IsMenu.USER32(00000000), ref: 0057BD1D
CreatePopupMenu.USER32 ref: 0057BD53
GetMenuItemCount.USER32(00DA6368), ref: 0057BDA4
InsertMenuItemW.USER32(00DA6368,?,00000001,00000030), ref: 0057BDCC

Strings

0, xrefs: 0057BCA8
2, xrefs: 0057BD37

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 494da3f4b1aa77ae215433e21e77289b6ffb16378bea6289337b786cb5ad49f7
Instruction ID: 2c2c97a1fb7455183e1d6cc62613661665a13b37a265714c6c8adc8c2d7d318f
Opcode Fuzzy Hash: 494da3f4b1aa77ae215433e21e77289b6ffb16378bea6289337b786cb5ad49f7
Instruction Fuzzy Hash: 72519F70A002059FEB21CFA8E888BAEBFF4BF55314F14C519E419D7291E7719944EB51

Function 00532D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00532D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00532D53
_ValidateLocalCookies.LIBCMT ref: 00532DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00532E0C
_ValidateLocalCookies.LIBCMT ref: 00532E61

Strings

csm, xrefs: 00532DF6
&HS, xrefs: 00532DFE, 00532E07, 00532E18

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HS$csm
API String ID: 1170836740-2847240634
Opcode ID: 60946cf2c6352f6042e4c9637a5862af839fd061c5a36f7a07a9601b591cae74
Instruction ID: 0bea1da9764ef4f34922b89c5fa33763107bcb5945878550b89b573c13aae0ce
Opcode Fuzzy Hash: 60946cf2c6352f6042e4c9637a5862af839fd061c5a36f7a07a9601b591cae74
Instruction Fuzzy Hash: C841A434A01609EBCF10DF68C849A9EBFB5BF84324F148555E915AB392D731EE06CBD0

Function 0057C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0057C913

Strings

info, xrefs: 0057C8B4
warning, xrefs: 0057C8FC
blank, xrefs: 0057C895
stop, xrefs: 0057C8E4
question, xrefs: 0057C8CC

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ea2bc0b084ce332786ab556cd7c5520075d54c1e45639393e8a50dd1be2c80e2
Instruction ID: e212c30a210cf7aa27542c3ff9acd9c788ff0629e0f630f1785aae49e8fb743c
Opcode Fuzzy Hash: ea2bc0b084ce332786ab556cd7c5520075d54c1e45639393e8a50dd1be2c80e2
Instruction Fuzzy Hash: EE11EB3168930BBBA7119B54AC82CEA7F9CFF15754B10442FF608A6282D7707D417665

Function 0057DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0057DE42
gethostname.WSOCK32(?,00000100), ref: 0057DE5C
gethostbyname.WSOCK32(?), ref: 0057DE69
inet_ntoa.WSOCK32(?), ref: 0057DEAB
_strcat.LIBCMT ref: 0057DEB9
WSACleanup.WSOCK32 ref: 0057DEDE

Strings

0.0.0.0, xrefs: 0057DE87

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: f2909701a1f36104c4a9528f267ed85dbf4d72a721e7060cbc784d3146c55ebd
Instruction ID: ee75dfb84620e70e6cfd8f51af7230fc58ee946da8e1a084ae9e42d6b3fa5ff5
Opcode Fuzzy Hash: f2909701a1f36104c4a9528f267ed85dbf4d72a721e7060cbc784d3146c55ebd
Instruction Fuzzy Hash: AE110A72504115AFDB21AB20AC0EEDE7FBCFF55711F004169F40996091EF759A81AA70

Function 0057ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0057ED2A
_wcslen.LIBCMT ref: 0057ED3B
_wcslen.LIBCMT ref: 0057ED79
_wcslen.LIBCMT ref: 0057EDAF
_wcslen.LIBCMT ref: 0057EDDF
_wcslen.LIBCMT ref: 0057EDEF
_wcslen.LIBCMT ref: 0057EE2B
_wcslen.LIBCMT ref: 0057EE5A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 91c284f149294394141a96bf077773e97512e10061c01fc198e0c790f3d07584
Instruction ID: fd9260e992b1fcecdb2533b2e0b1c8fb117d3ad969f22688c65896332eea0067
Opcode Fuzzy Hash: 91c284f149294394141a96bf077773e97512e10061c01fc198e0c790f3d07584
Instruction Fuzzy Hash: 80418466C1021975CB11EBB4988EACF7BBCBF89710F508466F518E3122FB34E255C7A5

Function 0052F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 0052F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 0056F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 0056F454

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 555f59884f08ed50073d300ce7ac90860e5ff693b2ecf81badc99e52699361ac
Instruction ID: 07321a2e70d98a1bac38aea76dd3c6b95a3245066138fbfcc962061d945a9381
Opcode Fuzzy Hash: 555f59884f08ed50073d300ce7ac90860e5ff693b2ecf81badc99e52699361ac
Instruction Fuzzy Hash: FB410B31608690BAC7398B2DF88872A7FB1BF97314F14483CE087576E1D631A8C4DB11

Function 005A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005A2D1B
GetDC.USER32(00000000), ref: 005A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 005A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 005A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005A2DE1

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 826aeedad7eb1065195f62f79de3374bf1494445f255d6e05f40f3e10ce37e8e
Instruction ID: b6d39b8348042ce4923334a8c5d0a1ebf2a7551c46a4fdac2a551361e7c2b3a7
Opcode Fuzzy Hash: 826aeedad7eb1065195f62f79de3374bf1494445f255d6e05f40f3e10ce37e8e
Instruction Fuzzy Hash: 92316972201214BBEB218F548C8AFEB3FA9FB1A715F044055FE089A292C6759C55CBA4

Function 00575622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00575637
_memcmp.LIBVCRUNTIME ref: 00575659
_memcmp.LIBVCRUNTIME ref: 00575671
_memcmp.LIBVCRUNTIME ref: 00575684
_memcmp.LIBVCRUNTIME ref: 0057569E
_memcmp.LIBVCRUNTIME ref: 005756B1
_memcmp.LIBVCRUNTIME ref: 005756C9
_memcmp.LIBVCRUNTIME ref: 005756E4

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 70b45551231ea2c49f2181fb741abaf3fd90eb8826f5753e55158a43b827ec74
Instruction ID: ce476ce3a50280507b72a00b44a597f3a5bb3df3f37a3004d0808bb695d88dfd
Opcode Fuzzy Hash: 70b45551231ea2c49f2181fb741abaf3fd90eb8826f5753e55158a43b827ec74
Instruction Fuzzy Hash: 82212961644E0A77D2185521AD96FFE3F5CFF61394F448420FD0E9A581FBA0EE1092E9

Function 00594FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00595007
NULL Pointer assignment, xrefs: 0059502E, 00595383

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 70bce1d01f652fe3e5b6a137a3f6839ccc78ef89e5bbd673c84e2f00c0dc5709
Instruction ID: 4994603213440e1249d98e5c545af81e94d688fc66b64a5b5c8d9e703bc23fe2
Opcode Fuzzy Hash: 70bce1d01f652fe3e5b6a137a3f6839ccc78ef89e5bbd673c84e2f00c0dc5709
Instruction Fuzzy Hash: A9D1E271A0060AAFDF11CFA8C885FAEBBB5FF48344F148469E915AB281E770DD55CB90

Function 00551522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 005515CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00551651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005516E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005516FB

Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00551777
__freea.LIBCMT ref: 005517A2
__freea.LIBCMT ref: 005517AE

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: e8304211e53872cf78084dfc1e33bd3c4004e3408b64d64a4d2f45e1bf780cc9
Instruction ID: c04c13829556676bdde93f596624673d63ad07e03a4ba3af2b3dd2827bf6d391
Opcode Fuzzy Hash: e8304211e53872cf78084dfc1e33bd3c4004e3408b64d64a4d2f45e1bf780cc9
Instruction Fuzzy Hash: 9D91C671E10A165ADB208E78C8A5BEE7FB5FF49315F18055AEC02E7141EB35DC48CB68

Function 00594523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00594648
VariantInit.OLEAUT32(?), ref: 00594749
VariantClear.OLEAUT32(?), ref: 00594753
VariantClear.OLEAUT32(?), ref: 005947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 005945D8, 00594706, 005947BE
Incorrect Object type in FOR..IN loop, xrefs: 0059472C

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 77306e72be91a7ecf0ba1ce4349f5b5347728ad51ca2df2036dff4ae9b387d75
Instruction ID: 41213f7b4867b2642b7d579067c4a1d108a3a7272f84ede0c31922d5a4a1301b
Opcode Fuzzy Hash: 77306e72be91a7ecf0ba1ce4349f5b5347728ad51ca2df2036dff4ae9b387d75
Instruction Fuzzy Hash: B5917E71A00219ABDF24CFA4D848FAEBFB8FF46715F108559E505AB280D7709D46CFA0

Function 00581187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0058125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00581284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0058135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00581430

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 148ef1dbce5227e56b34e09841ee106e26920361c44d50065e1b0d91fa047f87
Instruction ID: de43210863cf6dd09675dc264b1f14575ccda69dbb8db402c8801cd81d3bf2c4
Opcode Fuzzy Hash: 148ef1dbce5227e56b34e09841ee106e26920361c44d50065e1b0d91fa047f87
Instruction Fuzzy Hash: 7F91E175A006199FDB00EF94C889BBEBFB9FF85311F104429E901FB291D774A946CB98

Function 0052948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 83f3c22fb306f6be88ca3d7481be7fa10cefbf19928e3787af2bff1dfcc73a85
Instruction ID: 3cb3b983fbfa0f9e69b899443e4a6e3a1e498c1d3afaa14e7ea96eee4cdfe8c9
Opcode Fuzzy Hash: 83f3c22fb306f6be88ca3d7481be7fa10cefbf19928e3787af2bff1dfcc73a85
Instruction Fuzzy Hash: 46910671E00219AFCB14CFA9D888AEEBFB8FF4A320F144555E515B7291D774A941CBA0

Function 00593947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0059396B
CharUpperBuffW.USER32(?,?), ref: 00593A7A
_wcslen.LIBCMT ref: 00593A8A
VariantClear.OLEAUT32(?), ref: 00593C1F

Part of subcall function 00580CDF: VariantInit.OLEAUT32(00000000), ref: 00580D1F
Part of subcall function 00580CDF: VariantCopy.OLEAUT32(?,?), ref: 00580D28
Part of subcall function 00580CDF: VariantClear.OLEAUT32(?), ref: 00580D34

Strings

AUTOIT.ERROR, xrefs: 00593A80, 00593A85
Incorrect Parameter format, xrefs: 005939A6, 00593BA1

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: d1de0cec47eb83c8b73fed0c5b2871f7964d3ad9d0ec9e0fbbb42569a274da58
Instruction ID: dc642ee4a540e05f302883e646ca5ec0a6347dd7f755bcea8d9dc74af3d1ce25
Opcode Fuzzy Hash: d1de0cec47eb83c8b73fed0c5b2871f7964d3ad9d0ec9e0fbbb42569a274da58
Instruction Fuzzy Hash: 769136756083069FCB10EF28C49596ABBE5FF89314F14882DF88997351DB30EE45CB92

Function 00594BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0057000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?,?,0057035E), ref: 0057002B
Part of subcall function 0057000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570046
Part of subcall function 0057000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570054
Part of subcall function 0057000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?), ref: 00570064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00594C51
_wcslen.LIBCMT ref: 00594D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00594DCF
CoTaskMemFree.OLE32(?), ref: 00594DDA

Strings

NULL Pointer assignment, xrefs: 00594E23, 00594E52

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 0d877d0f5680bbfd8bc4b1a12b15a4521c267de10851dd49e1813de6f20319c2
Instruction ID: 60621b3f739e646e4d965c75ee284f12d03f14d315a975b55d033b0dbefe4138
Opcode Fuzzy Hash: 0d877d0f5680bbfd8bc4b1a12b15a4521c267de10851dd49e1813de6f20319c2
Instruction Fuzzy Hash: 80911671D0021AAFDF10DFA4D895EEEBBB8BF48310F108569E919A7241DB309E45CF60

Function 005A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005A2183
GetMenuItemCount.USER32(00000000), ref: 005A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005A21DD
_wcslen.LIBCMT ref: 005A2213
GetMenuItemID.USER32(?,?), ref: 005A224D
GetSubMenu.USER32(?,?), ref: 005A225B

Part of subcall function 00573A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00573A57
Part of subcall function 00573A3D: GetCurrentThreadId.KERNEL32 ref: 00573A5E
Part of subcall function 00573A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005725B3), ref: 00573A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005A22E3

Part of subcall function 0057E97B: Sleep.KERNEL32 ref: 0057E9F3

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 53e36e2993b9f00c0cef0959bd2ffbd06f097c43b64f420f4058ee9d107a7b3c
Instruction ID: c20852dbd681ee844113cfb4df46e37ba3a5a5cefbeecbe0b2aa2c3e45403db4
Opcode Fuzzy Hash: 53e36e2993b9f00c0cef0959bd2ffbd06f097c43b64f420f4058ee9d107a7b3c
Instruction Fuzzy Hash: 55714B75A00215AFCB10DF68C846AAEBFF5BF8A310F148469E916AB351DB34ED418B90

Function 005A7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00DA6430), ref: 005A7F37
IsWindowEnabled.USER32(00DA6430), ref: 005A7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 005A801E
SendMessageW.USER32(00DA6430,000000B0,?,?), ref: 005A8051
IsDlgButtonChecked.USER32(?,?), ref: 005A8089
GetWindowLongW.USER32(00DA6430,000000EC), ref: 005A80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005A80C3

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: d87aec16feb92479b5353dc36a41eb92670cc3dde134ae5ce6792a76c3e342d5
Instruction ID: e6b27c16929c0c9da5fd5348c41c6e9a936cb2a796b9d50470e2dde8bed12b99
Opcode Fuzzy Hash: d87aec16feb92479b5353dc36a41eb92670cc3dde134ae5ce6792a76c3e342d5
Instruction Fuzzy Hash: 1771AB34608248AFEB219F64CC88FBEBFB9FF5B300F144459E95597261CB31AA44DB20

Function 0057AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0057AEF9
GetKeyboardState.USER32(?), ref: 0057AF0E
SetKeyboardState.USER32(?), ref: 0057AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0057AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0057AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0057AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0057B020

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4f1173effa0c305a0a07e059feb70ada640a78b3b7c93d56ff0aa68b6667f26a
Instruction ID: 7be483fbd37eb13ca928255f13004dd394cd7099eaf4d2ad01014ca44ad8056f
Opcode Fuzzy Hash: 4f1173effa0c305a0a07e059feb70ada640a78b3b7c93d56ff0aa68b6667f26a
Instruction Fuzzy Hash: 4351D1A06087D53DFB3682349C49BBEBEA96B46304F08C589E1DD958C3D398ACC8E751

Function 0057ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0057AD19
GetKeyboardState.USER32(?), ref: 0057AD2E
SetKeyboardState.USER32(?), ref: 0057AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0057ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0057ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0057AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0057AE38

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c43deac456268518980e2d445fc184cb9d67f655e4d90ae42bd94ce82bec954f
Instruction ID: 2a5d4e7a1b1f96e325617f309cc14afbe8a8c276494c597c50560d8cea99cd91
Opcode Fuzzy Hash: c43deac456268518980e2d445fc184cb9d67f655e4d90ae42bd94ce82bec954f
Instruction Fuzzy Hash: 8D51B3A15047D53DFB3783249C55BBE7EA97B86300F08C589E5DD868C2D294EC88F762

Function 0054542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00553CD6,?,?,?,?,?,?,?,?,00545BA3,?,?,00553CD6,?,?), ref: 00545470
__fassign.LIBCMT ref: 005454EB
__fassign.LIBCMT ref: 00545506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00553CD6,00000005,00000000,00000000), ref: 0054552C
WriteFile.KERNEL32(?,00553CD6,00000000,00545BA3,00000000,?,?,?,?,?,?,?,?,?,00545BA3,?), ref: 0054554B
WriteFile.KERNEL32(?,?,00000001,00545BA3,00000000,?,?,?,?,?,?,?,?,?,00545BA3,?), ref: 00545584

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 682d5176a5f3b3f1c0d048d993e3aceda236afee3b24c48ac106d56ed995fb66
Instruction ID: 24808c6eb1eebcecf855a58c8dca5a9990f6fc865d75660e9bc5a7327662084e
Opcode Fuzzy Hash: 682d5176a5f3b3f1c0d048d993e3aceda236afee3b24c48ac106d56ed995fb66
Instruction Fuzzy Hash: 4B51E270A00649AFDB11CFA8D885AEEBFF9FF09304F14451AF955E7292E7309A41CB60

Function 005910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0059304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0059307A
Part of subcall function 0059304E: _wcslen.LIBCMT ref: 0059309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00591112
WSAGetLastError.WSOCK32 ref: 00591121
WSAGetLastError.WSOCK32 ref: 005911C9
closesocket.WSOCK32(00000000), ref: 005911F9

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 52c1d0984418bdefbaf55567892f54968910bd33872977c18160b35f4cdbc218
Instruction ID: 04beafee710abd91a90cd2a77743609229ea6634105e9c3ca98ffbced2de8dcd
Opcode Fuzzy Hash: 52c1d0984418bdefbaf55567892f54968910bd33872977c18160b35f4cdbc218
Instruction Fuzzy Hash: 7C412531600616AFEB109F14C888BA9BFE9FF85324F148059FD169B291C774ED85DBE4

Function 0057CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0057CF22,?), ref: 0057DDFD

Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0057CF22,?), ref: 0057DE16

lstrcmpiW.KERNEL32(?,?), ref: 0057CF45
MoveFileW.KERNEL32(?,?), ref: 0057CF7F
_wcslen.LIBCMT ref: 0057D005
_wcslen.LIBCMT ref: 0057D01B
SHFileOperationW.SHELL32(?), ref: 0057D061

Strings

\*.*, xrefs: 0057CFF3

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: b2adf41d0e0980f70a79bc6dd2825a0315901cbbea0c00f4b0856cc63b38b3cf
Instruction ID: ada66f8667195852e43d9519554c622855c0565a0c124dc18f69882a95181e2f
Opcode Fuzzy Hash: b2adf41d0e0980f70a79bc6dd2825a0315901cbbea0c00f4b0856cc63b38b3cf
Instruction Fuzzy Hash: FA4158719052195FDF12EFA4D985BDD7FB8BF49340F0040E6E509E7141EA34A688DB50

Function 005A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 005A2E1C
GetWindowLongW.USER32(?,000000F0), ref: 005A2E4F
GetWindowLongW.USER32(?,000000F0), ref: 005A2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 005A2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 005A2EE0
GetWindowLongW.USER32(?,000000F0), ref: 005A2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A2F0B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a10d1cbca326467a2bf8d54234813347081dd57b8fbb8e05d43d1b0f40771c60
Instruction ID: 1ece014ebc33cc210ac4a3980a161cae4336022ef94b4a8af5ac0834027a5871
Opcode Fuzzy Hash: a10d1cbca326467a2bf8d54234813347081dd57b8fbb8e05d43d1b0f40771c60
Instruction Fuzzy Hash: EC31E230604150AFDB25CF5CDC86F693BE9FBAA710F150164F944CF2A2CB71A884EB41

Function 00577726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00577769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0057778F
SysAllocString.OLEAUT32(00000000), ref: 00577792
SysAllocString.OLEAUT32(?), ref: 005777B0
SysFreeString.OLEAUT32(?), ref: 005777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005777DE
SysAllocString.OLEAUT32(?), ref: 005777EC

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 30a8af65b575c4b32c49ff329ad1760fcc9de2236d179f69995b760978716db4
Instruction ID: 2c3f50426a146e8d2bc7d00069235f1cea404695fe4d317a572107786424b804
Opcode Fuzzy Hash: 30a8af65b575c4b32c49ff329ad1760fcc9de2236d179f69995b760978716db4
Instruction Fuzzy Hash: CA21AE7660421DAFDF14DFA8EC88CBB7BACFB0E3647008425BA18DB190D670DC469764

Function 005777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00577842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00577868
SysAllocString.OLEAUT32(00000000), ref: 0057786B
SysAllocString.OLEAUT32 ref: 0057788C
SysFreeString.OLEAUT32 ref: 00577895
StringFromGUID2.OLE32(?,?,00000028), ref: 005778AF
SysAllocString.OLEAUT32(?), ref: 005778BD

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: cc185604e047de12a57dd6470c16ed096679ee3e92bbbc545b7fb8b96b268a20
Instruction ID: f04f6c16220ee9e93ed60939c5d961383f60e93ca6d7507fa7efb3135eb97a5d
Opcode Fuzzy Hash: cc185604e047de12a57dd6470c16ed096679ee3e92bbbc545b7fb8b96b268a20
Instruction Fuzzy Hash: A0215E31608219AF9F109BA8EC8CDBA7BECFB0D7607108125B919CB2A1DA74DC45DB65

Function 005804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0058052E

Strings

nul, xrefs: 00580567

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9163fb88ef69ad07d9bcbf2d9abde371c666f0f824b76126871922de985afc78
Instruction ID: 9c7d3147b386a8114e02b5750a2c6f5bd12c813dd4f1ddfa126cea67167ce39d
Opcode Fuzzy Hash: 9163fb88ef69ad07d9bcbf2d9abde371c666f0f824b76126871922de985afc78
Instruction Fuzzy Hash: 90212C75600305AFDF60AF69D844A9A7FE4BF55724F204A19ECA1E62E0E7709948DF30

Function 005805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00580601

Strings

nul, xrefs: 00580639

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 469c7f529e6904b28756ad76fc6052d83c925d50faf29598e57948f3ca456fbc
Instruction ID: e5c723a863d6c6fe7cf82ad9c551b56497688e16fb38169c5e756eea4dd4cab2
Opcode Fuzzy Hash: 469c7f529e6904b28756ad76fc6052d83c925d50faf29598e57948f3ca456fbc
Instruction Fuzzy Hash: AB2153755003059FDB60AF6A9C04A6A7FE4BF95720F205B19FCA1F72E0E7709969CB20

Function 005A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0051600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0051604C
Part of subcall function 0051600E: GetStockObject.GDI32(00000011), ref: 00516060
Part of subcall function 0051600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005A4145

Strings

Msctls_Progress32, xrefs: 005A40E3

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 12330973ad5a0c88b0ba4e5418dedbe544a927d7a456d07af947f54c5f628b4f
Instruction ID: cb4d0cc8cb859647043195d014e59a02076571dedb0c9a3cb7cb2736a4013ce4
Opcode Fuzzy Hash: 12330973ad5a0c88b0ba4e5418dedbe544a927d7a456d07af947f54c5f628b4f
Instruction Fuzzy Hash: 8311B6B114011D7EEF118FA4CC85EEB7F5DFF59798F004111B618A6150C6729C61DBA4

Function 0054D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0054D7A3: _free.LIBCMT ref: 0054D7CC

_free.LIBCMT ref: 0054D82D

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 0054D838
_free.LIBCMT ref: 0054D843
_free.LIBCMT ref: 0054D897
_free.LIBCMT ref: 0054D8A2
_free.LIBCMT ref: 0054D8AD
_free.LIBCMT ref: 0054D8B8

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: eef9f0f7ce89c446af916082ef0dcf5a34906bd0a27450ed26007c2b7c5374a1
Instruction ID: 417ec84ad38db8e74e8797b67926e58fb58d938e5b93832e5d11f6772c22c25f
Opcode Fuzzy Hash: eef9f0f7ce89c446af916082ef0dcf5a34906bd0a27450ed26007c2b7c5374a1
Instruction Fuzzy Hash: 1B114F71540B15ABE921BFB1CC4BFCB7FFCBF80704F800825B29DA6192DA79B5454660

Function 0057DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0057DA74
LoadStringW.USER32(00000000), ref: 0057DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0057DA91
LoadStringW.USER32(00000000), ref: 0057DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0057DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0057DAB9

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a3e50674b9392eec5578a4a4c1b0e4618bff2f7d6d3b45e7e0f1088cc93f5f71
Instruction ID: 47a6e13620e782190c6b3c9374313eeff20332fda4825a87478aa119a98b56a1
Opcode Fuzzy Hash: a3e50674b9392eec5578a4a4c1b0e4618bff2f7d6d3b45e7e0f1088cc93f5f71
Instruction Fuzzy Hash: 560167F25002087FEB10D7A49D89EEB3BBCFB05301F404456B709E2041E6749E849F74

Function 0058096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00D9EC68,00D9EC68), ref: 0058097B
EnterCriticalSection.KERNEL32(00D9EC48,00000000), ref: 0058098D
TerminateThread.KERNEL32(?,000001F6), ref: 0058099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 005809A9
CloseHandle.KERNEL32(?), ref: 005809B8
InterlockedExchange.KERNEL32(00D9EC68,000001F6), ref: 005809C8
LeaveCriticalSection.KERNEL32(00D9EC48), ref: 005809CF

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 66175c213383191e2dcd659fa7aa0d598061f62dae75511bcaf649f8666eeec4
Instruction ID: 0b7a1e224bf35d8a7f398d5ecd0e6b4f17d5088d86843c90ea5afdf2fb671657
Opcode Fuzzy Hash: 66175c213383191e2dcd659fa7aa0d598061f62dae75511bcaf649f8666eeec4
Instruction Fuzzy Hash: 57F03C32542A02BBD7415FA4EE8CBE6BF39FF12702F402025F202A18A0CB749469DF90

Function 00515D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00515D30
GetWindowRect.USER32(?,?), ref: 00515D71
ScreenToClient.USER32(?,?), ref: 00515D99
GetClientRect.USER32(?,?), ref: 00515ED7
GetWindowRect.USER32(?,?), ref: 00515EF8

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 55ba09df899d0c638a916fd0e56a3c414496e136664193bddbebce17eb8d1f6b
Instruction ID: c7d7fc1143cd14310f257dc9f45e312d369d90796f03a5c7a261fc8d267bacc6
Opcode Fuzzy Hash: 55ba09df899d0c638a916fd0e56a3c414496e136664193bddbebce17eb8d1f6b
Instruction Fuzzy Hash: 92B17C34A0074ADBDB10CFA8C4807EEBBF5FF58314F14891AE8A9D7250E730AA95DB50

Function 005401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005400D6
__allrem.LIBCMT ref: 005400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0054010B
__allrem.LIBCMT ref: 00540122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00540140

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 8e23473207f57ba74eec83dc3c1ed4eca54db54e1dc9b9ce217cb2f8d7501e95
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: B081F871A007069BE724AE39CC49BAB7FE9BF91328F24553AF951D76C1E770D9008B50

Function 00591D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00593149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0059101C,00000000,?,?,00000000), ref: 00593195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00591DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00591DE1
WSAGetLastError.WSOCK32 ref: 00591DF2
inet_ntoa.WSOCK32(?), ref: 00591E8C
htons.WSOCK32(?,?,?,?,?), ref: 00591EDB
_strlen.LIBCMT ref: 00591F35

Part of subcall function 005739E8: _strlen.LIBCMT ref: 005739F2

Part of subcall function 00516D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0052CF58,?,?,?), ref: 00516DBA
Part of subcall function 00516D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0052CF58,?,?,?), ref: 00516DED

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 95dce15d863a9aa931d401370d680609f7948405a584e1010a0daf0dd5ff7591
Instruction ID: 2c453095c02d1d33421350a442251758ee16b73a13de28296ac07b33187f6ea4
Opcode Fuzzy Hash: 95dce15d863a9aa931d401370d680609f7948405a584e1010a0daf0dd5ff7591
Instruction Fuzzy Hash: 1DA1FF31104712AFDB14DB20C889E6A7FA5BFC4318F54894CF4565B2E2DB31ED86CB91

Function 005461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005382D9,005382D9,?,?,?,0054644F,00000001,00000001,8BE85006), ref: 00546258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0054644F,00000001,00000001,8BE85006,?,?,?), ref: 005462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005463D8
__freea.LIBCMT ref: 005463E5

Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

__freea.LIBCMT ref: 005463EE
__freea.LIBCMT ref: 00546413

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: aaab3657ba961c92df682226c7d01fa4ad07365ca3ccf535e5004d626b7b0eb4
Instruction ID: 3fbf251d5f23bc9fb632ed8b9185025db5f5fafee3f0279a8ec4fe322b68717f
Opcode Fuzzy Hash: aaab3657ba961c92df682226c7d01fa4ad07365ca3ccf535e5004d626b7b0eb4
Instruction Fuzzy Hash: 5751DE72600256ABEB258E64DC85FEF7FA9FB86718F144A29F805D7190DB34DC40C6A1

Function 0059BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059BD25
RegCloseKey.ADVAPI32(00000000), ref: 0059BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0059BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0059BDF3
RegCloseKey.ADVAPI32(?), ref: 0059BDFF

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: dee6fc16c76a1dc00b263237ad1ed706076fb4e4da9cbd0a05baec74b5c1a870
Instruction ID: 2a9319274df48716c95288e4857821f2f203e22104ad1a171ec66022f79a0c6c
Opcode Fuzzy Hash: dee6fc16c76a1dc00b263237ad1ed706076fb4e4da9cbd0a05baec74b5c1a870
Instruction Fuzzy Hash: 7B819D30108242AFE714DF24D995E6ABFE9FF85308F14895CF4594B2A2DB31ED45CB92

Function 0056F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0056F7B9
SysAllocString.OLEAUT32(00000001), ref: 0056F860
VariantCopy.OLEAUT32(0056FA64,00000000), ref: 0056F889
VariantClear.OLEAUT32(0056FA64), ref: 0056F8AD
VariantCopy.OLEAUT32(0056FA64,00000000), ref: 0056F8B1
VariantClear.OLEAUT32(?), ref: 0056F8BB

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f817c579a5261397b4948ee04a2e17cf52ee271edbbce01a0ff72a991b5af2cd
Instruction ID: bd3130b51eb21b362942704d5d13f4857b70a6ea9e97e5f70fdf2f0b091cf2e1
Opcode Fuzzy Hash: f817c579a5261397b4948ee04a2e17cf52ee271edbbce01a0ff72a991b5af2cd
Instruction Fuzzy Hash: AA51C831E00311BBDF20AB65F899B69BFA9FF95310F245866E905DF291DB708C40C766

Function 0058910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005894E5
_wcslen.LIBCMT ref: 00589506
_wcslen.LIBCMT ref: 0058952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00589585

Strings

X, xrefs: 00589412

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 3c872663824bfd4400dc09ac030b393a0e9e2f6d2ee94d2bb4425de111b9c2d7
Instruction ID: 11df7cf4072da922e408185763d5ec414add65fba783ca5403043dd5de1535b1
Opcode Fuzzy Hash: 3c872663824bfd4400dc09ac030b393a0e9e2f6d2ee94d2bb4425de111b9c2d7
Instruction Fuzzy Hash: 51E1B5315043019FD714EF24C885AAEBBE4BFC5314F18896DF8999B2A2DB31ED45CB92

Function 0052920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

BeginPaint.USER32(?,?,?), ref: 00529241
GetWindowRect.USER32(?,?), ref: 005292A5
ScreenToClient.USER32(?,?), ref: 005292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005292D3
EndPaint.USER32(?,?,?,?,?), ref: 00529321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005671EA

Part of subcall function 00529339: BeginPath.GDI32(00000000), ref: 00529357

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 600491df042dabb187265537b9008f717c858d08481e37eaf564b22aa9983ebe
Instruction ID: 027379cd50156cfc62f615645239b1b77b58bb2120b6ee5cc23bfec4bf28e176
Opcode Fuzzy Hash: 600491df042dabb187265537b9008f717c858d08481e37eaf564b22aa9983ebe
Instruction Fuzzy Hash: C1419F31104255AFD710DF24D884FBA7FA8FFAA724F140629F994CB2E2C7309849EB61

Function 005807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0058080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00580847
EnterCriticalSection.KERNEL32(?), ref: 00580863
LeaveCriticalSection.KERNEL32(?), ref: 005808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00580921

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 5b3b7a8bcfec88480fe6c2be9df9e9d4d0eb08c86ae5981afdee7790d539bb41
Instruction ID: 4500ba0523c5062cea205dafcd198b214d5d59c943d0a2c7110aba8eaec8f3da
Opcode Fuzzy Hash: 5b3b7a8bcfec88480fe6c2be9df9e9d4d0eb08c86ae5981afdee7790d539bb41
Instruction Fuzzy Hash: 34415B71A00205EBDF55AF54EC85AAA7B78FF45310F1440B9ED00AA297DB30DE69DBA0

Function 005A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0056F3AB,00000000,?,?,00000000,?,0056682C,00000004,00000000,00000000), ref: 005A824C
EnableWindow.USER32(?,00000000), ref: 005A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 005A82D1
ShowWindow.USER32(?,00000004), ref: 005A82E5
EnableWindow.USER32(?,00000001), ref: 005A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005A832F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 302fec1ea4a281543b8c0a1868243c3f5b1eb525ff7c0e8d4391959ef76cc2c5
Instruction ID: 1e32dd9f8b9f24350eac1461971b1f38191ecfe6c4d8894e7d7143417267ca4d
Opcode Fuzzy Hash: 302fec1ea4a281543b8c0a1868243c3f5b1eb525ff7c0e8d4391959ef76cc2c5
Instruction Fuzzy Hash: BC419F34601A44AFDF25CF14DC99BB87FE0BF5BB14F1851A9E6488F2A2CB31A845DB50

Function 00574C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00574C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00574CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00574CEA
_wcslen.LIBCMT ref: 00574D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00574D10
_wcsstr.LIBVCRUNTIME ref: 00574D1A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: a49d60e4cd63a45b0a780c4355234476869504beadc5f3e67331c6e240159dcd
Instruction ID: ea13f0270ee074d96add9a742b390796300102f201a5ab985024bad39e9a3012
Opcode Fuzzy Hash: a49d60e4cd63a45b0a780c4355234476869504beadc5f3e67331c6e240159dcd
Instruction Fuzzy Hash: BD21DA31204111BBEB269B39BC49E7B7FACEF46750F108079F809CE191EB61DC00ABA0

Function 0058581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00513AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00513A97,?,?,00512E7F,?,?,?,00000000), ref: 00513AC2

_wcslen.LIBCMT ref: 0058587B
CoInitialize.OLE32(00000000), ref: 00585995
CoCreateInstance.OLE32(005AFCF8,00000000,00000001,005AFB68,?), ref: 005859AE
CoUninitialize.OLE32 ref: 005859CC

Strings

.lnk, xrefs: 00585876, 005858C1, 00585985

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 66add4af07420ba6520e94311120401a5537471fe4e827a8e4178f8d80feeec8
Instruction ID: df1f498cf2d8dc26ba8d104b54e7ceb7076030961fc1a982c014677c50aa6180
Opcode Fuzzy Hash: 66add4af07420ba6520e94311120401a5537471fe4e827a8e4178f8d80feeec8
Instruction Fuzzy Hash: 7DD155716046029FC714EF24C484A6ABBF6FF89715F14485DF88AAB361EB31EC45CB92

Function 0057175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00570FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00570FCA
Part of subcall function 00570FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00570FD6
Part of subcall function 00570FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00570FE5
Part of subcall function 00570FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00570FEC
Part of subcall function 00570FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00571002

GetLengthSid.ADVAPI32(?,00000000,00571335), ref: 005717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005717BA
HeapAlloc.KERNEL32(00000000), ref: 005717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005717DA
GetProcessHeap.KERNEL32(00000000,00000000,00571335), ref: 005717EE
HeapFree.KERNEL32(00000000), ref: 005717F5

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 4da0a6e0e45fd49973f8ec42e1f887c681cf1f5190ee6c258dc5d49234eb325e
Instruction ID: a306c3febc59018670b8c3e746feebefba4651decdf4236d2cc456a286eb8a99
Opcode Fuzzy Hash: 4da0a6e0e45fd49973f8ec42e1f887c681cf1f5190ee6c258dc5d49234eb325e
Instruction Fuzzy Hash: 7111BE71600605FFDB189FA8EC49BAE7FA9FB42355F108018F44597210C735A948EB64

Function 005714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00571506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00571515
CloseHandle.KERNEL32(00000004), ref: 00571520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0057154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00571563

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0c0604779c7198e041c0ac53323d7efa6ea176cf0264872020bb5f81644529f7
Instruction ID: 3de88d6edb35001512216c03d84204cd82d6485c888df2724c75c87a67a78cfc
Opcode Fuzzy Hash: 0c0604779c7198e041c0ac53323d7efa6ea176cf0264872020bb5f81644529f7
Instruction Fuzzy Hash: FF112972500209ABDF118F98ED49FDE7FAAFF49744F048059FA09A2160C3758E68EB64

Function 00533382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00533379,00532FE5), ref: 00533390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0053339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005333B7
SetLastError.KERNEL32(00000000,?,00533379,00532FE5), ref: 00533409

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0814a7d5790b763d352e923930218a73e478aee21eca2a61569909e4f3576635
Instruction ID: f693e8de9a1fddd44ff4ea10a9246f772a41f29b1619651dd54edb8fdbc2cff6
Opcode Fuzzy Hash: 0814a7d5790b763d352e923930218a73e478aee21eca2a61569909e4f3576635
Instruction Fuzzy Hash: 4201243320A313BEAB2527757C8E66B6F94FB65379F20862BF411812F0EF115D09E544

Function 00542D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00545686,00553CD6,?,00000000,?,00545B6A,?,?,?,?,?,0053E6D1,?,005D8A48), ref: 00542D78
_free.LIBCMT ref: 00542DAB
_free.LIBCMT ref: 00542DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0053E6D1,?,005D8A48,00000010,00514F4A,?,?,00000000,00553CD6), ref: 00542DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0053E6D1,?,005D8A48,00000010,00514F4A,?,?,00000000,00553CD6), ref: 00542DEC
_abort.LIBCMT ref: 00542DF2

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 1cb994cee6c49f6396bb37f906bad7de69e7160a1eaf9399dccbabde44ef99aa
Instruction ID: f5cbab5f9bf341c041b5f3053ea48a15feefdc3825c3808692b893db0908a8b7
Opcode Fuzzy Hash: 1cb994cee6c49f6396bb37f906bad7de69e7160a1eaf9399dccbabde44ef99aa
Instruction Fuzzy Hash: 02F0F935905A2227C72223356C0EBDA3E65BFD276CF640416F424921D1DE7088065120

Function 005A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00529639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00529693
Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296A2
Part of subcall function 00529639: BeginPath.GDI32(?), ref: 005296B9
Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 005A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 005A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 005A8A70
LineTo.GDI32(?,00000000,00000003), ref: 005A8A80
EndPath.GDI32(?), ref: 005A8A90
StrokePath.GDI32(?), ref: 005A8AA0

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 880811f625384f7cafed96dc88a10d03216ccd5bd4fa63b78743ad497293b7c0
Instruction ID: d6a9bafa926ed9261b32c204509212f39831f4894a095bc47e0e22db3f1a9880
Opcode Fuzzy Hash: 880811f625384f7cafed96dc88a10d03216ccd5bd4fa63b78743ad497293b7c0
Instruction Fuzzy Hash: 12110976000149FFDB129F90DC88EAE7FACFB1A350F008052BA199A1A1C7719D59EBA0

Function 005751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00575218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00575229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00575230
ReleaseDC.USER32(00000000,00000000), ref: 00575238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0057524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00575261

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ce413d83f2e67e5c5b2219b6865e6ddd81dea95bc3f1141dc53e6be5b01bbaae
Instruction ID: ad0b1388eaca1b18f430a971a13d0f30a7ef8ad6dc48fd6bf1e412b1780d21bf
Opcode Fuzzy Hash: ce413d83f2e67e5c5b2219b6865e6ddd81dea95bc3f1141dc53e6be5b01bbaae
Instruction Fuzzy Hash: 34014F75E00719BBEB109FA59C49A5EBFB8FB59751F044065FA04A7281D6709C04DBA0

Function 00511BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00511BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00511BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00511C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00511C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00511C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00511C22

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b6fc38aaa8901985c9f2a787d21690b57a47ac0ad622e25252784ae949c0b537
Instruction ID: 8104bd8a3a16777a0100d31c6e56535fe1fec174e2b76d9ba146ccab654f1ad9
Opcode Fuzzy Hash: b6fc38aaa8901985c9f2a787d21690b57a47ac0ad622e25252784ae949c0b537
Instruction Fuzzy Hash: 56016CB09027597DE3008F5A8C85B52FFE8FF19354F04411B915C4B941C7F5A864CBE5

Function 0057EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0057EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0057EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0057EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057EB75

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: cb8b2c5986061f3ecbe7529d368d2e85f1512affa14f6e349cd04dc55f1f8ae4
Instruction ID: fc39b818e2df40502db5299f8939906dcd16140d734222746a9f8807cb6daf27
Opcode Fuzzy Hash: cb8b2c5986061f3ecbe7529d368d2e85f1512affa14f6e349cd04dc55f1f8ae4
Instruction Fuzzy Hash: E4F05E72240158BFE7219B669C0EEEF3E7CEFDBB11F004159F601D6091EBA05A05E6B5

Function 00567439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00567452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00567469
GetWindowDC.USER32(?), ref: 00567475
GetPixel.GDI32(00000000,?,?), ref: 00567484
ReleaseDC.USER32(?,00000000), ref: 00567496
GetSysColor.USER32(00000005), ref: 005674B0

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 2ded65c8e3c2f113880d184c2ae073f1e8081e6a7966a9bfc89ba16d13495d4a
Instruction ID: d1812f9935a0adfe8a119fd6e5cfcef09dae11d2db8d67be07d1dd61e9215de1
Opcode Fuzzy Hash: 2ded65c8e3c2f113880d184c2ae073f1e8081e6a7966a9bfc89ba16d13495d4a
Instruction Fuzzy Hash: 71018B31400219EFDB109F64DD08BAA7FB5FF19312F1004A0FA16A31A0CF311E45EB50

Function 00571874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0057187F
UnloadUserProfile.USERENV(?,?), ref: 0057188B
CloseHandle.KERNEL32(?), ref: 00571894
CloseHandle.KERNEL32(?), ref: 0057189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005718A5
HeapFree.KERNEL32(00000000), ref: 005718AC

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 7b1f133492d5ece76174093fd546ca3583e09e08d24f743fd9ffd3a0e52d2b78
Instruction ID: 53388d2a26a516a9766c5c590047ea269dd84adecef78addd8aa7507263693c6
Opcode Fuzzy Hash: 7b1f133492d5ece76174093fd546ca3583e09e08d24f743fd9ffd3a0e52d2b78
Instruction Fuzzy Hash: 63E0E536204101BBDB015FA1ED0C90ABF79FF6AB22B108625F22581070CB329425EF50

Function 0051BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0051BEB3

Strings

D%^, xrefs: 0051BCA2
D%^, xrefs: 0051BE9A
D%^D%^, xrefs: 0051BCA5
D%^, xrefs: 0051BDED, 0051BD91, 0051BD1B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%^$D%^$D%^$D%^D%^
API String ID: 1385522511-1929028606
Opcode ID: ee0637ec5ae8d1e99c32a99323fdec80142ee181e792a72d4f7fcefe397a9730
Instruction ID: 6f991f027e25756a3003fd0b7dcf529f9e945aea5314bd44430ac6a76bf9f4a1
Opcode Fuzzy Hash: ee0637ec5ae8d1e99c32a99323fdec80142ee181e792a72d4f7fcefe397a9730
Instruction Fuzzy Hash: D6913875A0020ACFEB18CF59C0906EABBF1FF58314F24856AD985AB351E731AD81DBD0

Function 00597B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00530242: EnterCriticalSection.KERNEL32(005E070C,005E1884,?,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053024D
Part of subcall function 00530242: LeaveCriticalSection.KERNEL32(005E070C,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053028A

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 005300A3: __onexit.LIBCMT ref: 005300A9

__Init_thread_footer.LIBCMT ref: 00597BFB

Part of subcall function 005301F8: EnterCriticalSection.KERNEL32(005E070C,?,?,00528747,005E2514), ref: 00530202
Part of subcall function 005301F8: LeaveCriticalSection.KERNEL32(005E070C,?,00528747,005E2514), ref: 00530235

Strings

+TV, xrefs: 00597E2E
5, xrefs: 00597C78
Variable must be of type 'Object'., xrefs: 00597C3A
G, xrefs: 00597C7F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TV$5$G$Variable must be of type 'Object'.
API String ID: 535116098-200929741
Opcode ID: dd743e6b6e7f38b893b0408a6e180171b09f691def82274124626138dbd991bb
Instruction ID: 5f0fb7d791387c32185073a1c367636e123ab176c65c60e18ac2b4aa22c28088
Opcode Fuzzy Hash: dd743e6b6e7f38b893b0408a6e180171b09f691def82274124626138dbd991bb
Instruction Fuzzy Hash: 8A919D74A1420AEFCF04EF54D8959ADBFB5FF89300F14845AF8469B292DB71AE81CB50

Function 0057C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0057C6EE
_wcslen.LIBCMT ref: 0057C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0057C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0057C7CA

Strings

0, xrefs: 0057C6AF

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 1fd072547dfd703c48e03b3ceb279b8f33465d885e4f2eec45220a6a42710356
Instruction ID: a3dda11ab15fac253c6db574705e2fd073e956b4adf7794585aac684035722c4
Opcode Fuzzy Hash: 1fd072547dfd703c48e03b3ceb279b8f33465d885e4f2eec45220a6a42710356
Instruction Fuzzy Hash: 9C51DF716043019BD7199F28E889B6B7FE8FF89310F048A2DF999D31D1DB70D944AB52

Function 0059AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0059AEA3

Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625

GetProcessId.KERNEL32(00000000), ref: 0059AF38
CloseHandle.KERNEL32(00000000), ref: 0059AF67

Strings

@, xrefs: 0059AE72
<, xrefs: 0059AE6B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: df3c24d522953f29ada620cc846509c2e90526cc4d425526d93c8ec66ad93cb9
Instruction ID: 90671fb062b8a2f915692e78eef52098666e0e30d31774189c009a972bd22642
Opcode Fuzzy Hash: df3c24d522953f29ada620cc846509c2e90526cc4d425526d93c8ec66ad93cb9
Instruction Fuzzy Hash: 55715574A0021A9FDF14DF54C488A9EBBF5FF48300F048499E816AB392DB31ED85CBA1

Function 0057719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00577206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0057723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0057724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005772CF

Strings

DllGetClassObject, xrefs: 00577242

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 80f6784be5d728d7666e60af358c3003d011ee086498d1c3f4699d5c60d96ee3
Instruction ID: da2a720d7b9e695153c1b04487fd3d582e97116edaf2c8853fbfc902e3e55f44
Opcode Fuzzy Hash: 80f6784be5d728d7666e60af358c3003d011ee086498d1c3f4699d5c60d96ee3
Instruction Fuzzy Hash: BE417F75604208EFDB15CF54E884A9A7FB9FF49310F14C4A9BD199F20AD7B0DA44EBA0

Function 005A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005A3E35
IsMenu.USER32(?), ref: 005A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005A3E92
DrawMenuBar.USER32 ref: 005A3EA5

Strings

0, xrefs: 005A3D89

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 1bceec80553098125193177f9fca3ba96c71b585e905496f9ab3174f2a8371fb
Instruction ID: 6be0cb3900492b489e7d8b38080c9504939d65d214191f6a9dae164730f321f5
Opcode Fuzzy Hash: 1bceec80553098125193177f9fca3ba96c71b585e905496f9ab3174f2a8371fb
Instruction Fuzzy Hash: C3413875A01209EFDB10DF50E884AEEBBB9FF4A359F04412AF905AB250D730AE54DF50

Function 00571DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00571E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00571E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00571EA9

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

Strings

ListBox, xrefs: 00571E25
ComboBox, xrefs: 00571DF0

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: f287664d431fd0abb18ec9700a7f7a8d701f0ba397c8fb942309107aacc1d798
Instruction ID: 892e5f3c202c9373ec246605e7e8a0d623a05e3ad30fdf0578eba26b9ef320ff
Opcode Fuzzy Hash: f287664d431fd0abb18ec9700a7f7a8d701f0ba397c8fb942309107aacc1d798
Instruction Fuzzy Hash: 42210A71900105BAEB149B68EC5ACFF7FBCFF86390B108529FC59A72D1DB344D49A660

Function 0059C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0059C9F1
_wcslen.LIBCMT ref: 0059CA68
_wcslen.LIBCMT ref: 0059CA9E
_wcslen.LIBCMT ref: 0059CAF9
_wcslen.LIBCMT ref: 0059CB2F
_wcslen.LIBCMT ref: 0059CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0059CA62, 0059CA67
HKLM, xrefs: 0059CA98, 0059CA9D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 2cade854eb4908f9b374b67b62f35ba981a09a99db2bb01d5779fb6f223a36b7
Instruction ID: 522803fa16ebc2750780e43fed22bc03c45084630453367975b6cd4281c06cd4
Opcode Fuzzy Hash: 2cade854eb4908f9b374b67b62f35ba981a09a99db2bb01d5779fb6f223a36b7
Instruction Fuzzy Hash: 0831F873A0056E4BCF30DF2C99501BE3F91BBA5790F55402AE855AB345F671CE84D7A0

Function 005A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005A2F8D
LoadLibraryW.KERNEL32(?), ref: 005A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005A2FA9
DestroyWindow.USER32(?), ref: 005A2FB1

Strings

SysAnimate32, xrefs: 005A2F68

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 03ab5e489a4027317a90e1f0d6a2ae0bb6f6a0279b32785d7187ffa461151d4c
Instruction ID: 96ab904e3b7256b38d47e8eba9819b34847afc57450e7fba80572e2985b0c4f6
Opcode Fuzzy Hash: 03ab5e489a4027317a90e1f0d6a2ae0bb6f6a0279b32785d7187ffa461151d4c
Instruction Fuzzy Hash: CF219A71204209AFEB108F68DC87EBF3BB9FB5A364F104619FA50D6190D771DC91AB60

Function 00534D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00534D1E,005428E9,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002), ref: 00534D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00534DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00534D1E,005428E9,?,00534CBE,005428E9,005D88B8,0000000C,00534E15,005428E9,00000002,00000000), ref: 00534DC3

Strings

mscoree.dll, xrefs: 00534D86
CorExitProcess, xrefs: 00534D98

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 974339bd7cf61aa76d78f159d82908e21f210110e3a7a5bedf94b514405cbfd3
Instruction ID: 692752c2c850a5c8ed03e6f098b84b58c0440c771ae0dc7cf6b7e5924add74c1
Opcode Fuzzy Hash: 974339bd7cf61aa76d78f159d82908e21f210110e3a7a5bedf94b514405cbfd3
Instruction Fuzzy Hash: CDF03C34A40209ABDB119B94DC49BAEBFE5FB54751F0001A5E806A62A0CB70A944DE90

Function 00514E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00514EAE
FreeLibrary.KERNEL32(00000000,?,?,00514EDD,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514EC0

Strings

kernel32.dll, xrefs: 00514E94
Wow64DisableWow64FsRedirection, xrefs: 00514EA8

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 5d36be5614eb4e6998002b964ab54e41cd091c887bffed96b6f490ff2449181c
Instruction ID: 16283ffd9647496279248e6936e60fcdeb8308ace92cc0f5365f1196ffeef1e6
Opcode Fuzzy Hash: 5d36be5614eb4e6998002b964ab54e41cd091c887bffed96b6f490ff2449181c
Instruction Fuzzy Hash: 54E08635B016225BE33117257C18B9F7E58BF93B627050215FC04D2200DB60CD4598A2

Function 00514E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00514E74
FreeLibrary.KERNEL32(00000000,?,?,00553CDE,?,005E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00514E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00514E6E
kernel32.dll, xrefs: 00514E5B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 8b0b7506932a8cdee092e827fff0d333b0eeb814c379298c8e358e1370f63e03
Instruction ID: c00cc8ec08d002cd9b4a5957fddf67c7e2e60ced3bcc97b4d2ec27bf5b7f19f1
Opcode Fuzzy Hash: 8b0b7506932a8cdee092e827fff0d333b0eeb814c379298c8e358e1370f63e03
Instruction Fuzzy Hash: 17D0123560262257A7321B257C18DCF7E1CBF87B513050715F905A6214DF61CD46D9E1

Function 00582947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00582C05
DeleteFileW.KERNEL32(?), ref: 00582C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00582C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00582CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00582CC0

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c9265f0dc7b09e6f7b65cdb07604ec9e22f9c21fcc421de5ee2fbd8f50c0f2ff
Instruction ID: d8a466fde6715d192c1b25391eab9c62b1a2b36353e92d2b34031b6139532f0e
Opcode Fuzzy Hash: c9265f0dc7b09e6f7b65cdb07604ec9e22f9c21fcc421de5ee2fbd8f50c0f2ff
Instruction Fuzzy Hash: 99B1417190111AABDF15EBA4CC89EEE7FBDFF89350F1040A6F909F6141EA319A448F61

Function 0059A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0059A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0059A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0059A468
CloseHandle.KERNEL32(?), ref: 0059A63D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 03b6ca2fe12878da1c5c8d003b41012fd0046db1cd9d635ff7dcb1b093906e26
Instruction ID: a1d191c2bac256b3c28d0f258f2a557af3329cf0ad95e8c8a8494c0d65edd18f
Opcode Fuzzy Hash: 03b6ca2fe12878da1c5c8d003b41012fd0046db1cd9d635ff7dcb1b093906e26
Instruction Fuzzy Hash: BCA160716043019FEB20DF24D88AB2ABBE5BF84714F14885DF55A9B3D2DB71EC418B92

Function 0057E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0057CF22,?), ref: 0057DDFD

Part of subcall function 0057DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0057CF22,?), ref: 0057DE16

Part of subcall function 0057E199: GetFileAttributesW.KERNEL32(?,0057CF95), ref: 0057E19A

lstrcmpiW.KERNEL32(?,?), ref: 0057E473
MoveFileW.KERNEL32(?,?), ref: 0057E4AC
_wcslen.LIBCMT ref: 0057E5EB
_wcslen.LIBCMT ref: 0057E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0057E650

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 1ca2ea8168c41e3a96d73ee7f9078b7d37f065beb2141432717f693e3f3fbaa5
Instruction ID: f7b32ffa0406c7e72e17dbb538541a1960531860fa7a35bfe44debbd196d8cad
Opcode Fuzzy Hash: 1ca2ea8168c41e3a96d73ee7f9078b7d37f065beb2141432717f693e3f3fbaa5
Instruction Fuzzy Hash: 125192B24083455BC724DB90E8969DF7BECBFC8340F00492EF689D3151EF75A6889766

Function 0059B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 0059C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059B6AE,?,?), ref: 0059C9B5
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059C9F1
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA68
Part of subcall function 0059C998: _wcslen.LIBCMT ref: 0059CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0059BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0059BB63
RegCloseKey.ADVAPI32(?,?), ref: 0059BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0059BBB3

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ab358ccb64121e4d00b320407a521ea787e4b4bf072dc6102dfda4396054a205
Instruction ID: cdc935dd82569dc0e844e059fad9d4eec726ddd56382caa8f3be6678c7951da6
Opcode Fuzzy Hash: ab358ccb64121e4d00b320407a521ea787e4b4bf072dc6102dfda4396054a205
Instruction Fuzzy Hash: 8661B031208241AFE714DF24C594E6ABFE5FF84308F14895CF49A8B2A2DB31ED45CB92

Function 00578BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00578BCD
VariantClear.OLEAUT32 ref: 00578C3E
VariantClear.OLEAUT32 ref: 00578C9D
VariantClear.OLEAUT32(?), ref: 00578D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00578D3B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 281ad127c6f5b488f41dd9095753c0cfa24943926c3d3f92b3153a99f55794ce
Instruction ID: 7c80970e1213464221eb4496de8c75ebeb80294f245bfc2cd8b3f89fe0b275e7
Opcode Fuzzy Hash: 281ad127c6f5b488f41dd9095753c0cfa24943926c3d3f92b3153a99f55794ce
Instruction Fuzzy Hash: 415159B5A00219EFCB14CF68D894AAABBF8FF8D310B158559E909DB350E730E911CF90

Function 00588AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00588BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00588BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00588C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00588C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00588C5F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: bc5073d9dcf1f591bae4ac1b0e64fad05ea0508653aa4614ab250d7019c84637
Instruction ID: a19e350f6f286658c5e9b15f55307042e586999b4f5f3ad6ce430dbebeefcec4
Opcode Fuzzy Hash: bc5073d9dcf1f591bae4ac1b0e64fad05ea0508653aa4614ab250d7019c84637
Instruction Fuzzy Hash: 3D514C35A002199FDB05EF64C885AA9BFF5FF89314F098458E849AB362DB31ED51CB90

Function 00598EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00598F40
GetProcAddress.KERNEL32(00000000,?), ref: 00598FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00598FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00599032
FreeLibrary.KERNEL32(00000000), ref: 00599052

Part of subcall function 0052F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00581043,?,753CE610), ref: 0052F6E6
Part of subcall function 0052F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0056FA64,00000000,00000000,?,?,00581043,?,753CE610,?,0056FA64), ref: 0052F70D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 30bd0609d7893bdcba96d7795368c2ecc48da038254d8f637e30759a0fe88f98
Instruction ID: fbbef9e352b1613c8fa91f9117b92fae8a2c555a3f6b240144b2c7ccdc133f01
Opcode Fuzzy Hash: 30bd0609d7893bdcba96d7795368c2ecc48da038254d8f637e30759a0fe88f98
Instruction Fuzzy Hash: F9511735600205DFDB11DF58C4988A9BFF1FF8A314F0980A8E81A9B362DB31ED85CB90

Function 005A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 005A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 005A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 005A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0058AB79,00000000,00000000), ref: 005A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 005A6CC7

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 0e697621d9952cc67840213a7c0c9299afe9c12277914fe7d495b2076fc54496
Instruction ID: 3b39315b6169eefebab93b79cc03f7a843ee7e4f72620e3c0e304cce5329afcd
Opcode Fuzzy Hash: 0e697621d9952cc67840213a7c0c9299afe9c12277914fe7d495b2076fc54496
Instruction Fuzzy Hash: CF418035A04104AFD724DF28CC68BAD7FA5FB0B360F190268F995AB2A1C771AD41DA50

Function 00542051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005420C3
_free.LIBCMT ref: 005420E3

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2ec36bdd1afe50e5cc68242e394cdd225a0ad034113f912f2255c69403aa58d5
Instruction ID: 183b748e96f74ac567f286ee50b1371f51938626959f1d6d97846b07228f91e5
Opcode Fuzzy Hash: 2ec36bdd1afe50e5cc68242e394cdd225a0ad034113f912f2255c69403aa58d5
Instruction Fuzzy Hash: 5E41E432A002109FCB24DF78C884A9EBBF5FF89318F554569F515EB396D631AD01DB80

Function 0052912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00529141
ScreenToClient.USER32(00000000,?), ref: 0052915E
GetAsyncKeyState.USER32(00000001), ref: 00529183
GetAsyncKeyState.USER32(00000002), ref: 0052919D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9265c970efff0707028236a189c98b5f60c89f4a6111d25c2623092567dad064
Instruction ID: 9d2a1fbd3cd9d4703fec7a0be231ebe00589e17911c06a0eb440ed85d9f8d19a
Opcode Fuzzy Hash: 9265c970efff0707028236a189c98b5f60c89f4a6111d25c2623092567dad064
Instruction Fuzzy Hash: 1D415F7190861BBBDF159F69D848BEEBB74FF4A324F20421AE425A32D0C7305D54DB91

Function 00583874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00583922
TranslateMessage.USER32(?), ref: 0058394B
DispatchMessageW.USER32(?), ref: 00583955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00583966

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4503aef7a4387d5955e546e11e77a2924c56c79e8e0bc290dd450717327f6e5b
Instruction ID: 4f7c704a049fd1d16365d79e5dc282e96174174b464351dbbf9ba9575ee632fa
Opcode Fuzzy Hash: 4503aef7a4387d5955e546e11e77a2924c56c79e8e0bc290dd450717327f6e5b
Instruction Fuzzy Hash: 5931EB709057819EEB39EF34D849BB63FA8FB15700F04056DECA6E60A0E7F49689DB11

Function 0058CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0058C21E,00000000), ref: 0058CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0058CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0058C21E,00000000), ref: 0058CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0058C21E,00000000), ref: 0058CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0058C21E,00000000), ref: 0058CFF2

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 8734661e5c085aaa1932168fdee93733a9fceec672983265a51ab994de73f67a
Instruction ID: 8ef22b1384aa3925981837eb9b4bbcd1e2dfa31eb94be813000d1238b4842efa
Opcode Fuzzy Hash: 8734661e5c085aaa1932168fdee93733a9fceec672983265a51ab994de73f67a
Instruction Fuzzy Hash: 55314C71604205AFEB20EFA5D884AABBFF9FF15354B10442EFA06E2141DB30AE44DB70

Function 00571901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00571915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005719E2

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4690d1f04d452f7130f5e8eda3d6dce698ed176c45c72cb382b4a5dfd1410890
Instruction ID: 3486ec42c9f545e93dc0979e5a5cae22f7656c2c3d0fa965b371baba725cc6ab
Opcode Fuzzy Hash: 4690d1f04d452f7130f5e8eda3d6dce698ed176c45c72cb382b4a5dfd1410890
Instruction Fuzzy Hash: 1A31CD71A00219EFCB00CFACD998ADE3FB5FB55314F108229FA25AB2D0C7709945EB90

Function 005A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 005A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 005A579D
_wcslen.LIBCMT ref: 005A57AF
_wcslen.LIBCMT ref: 005A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 005A5816

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 56df450c6b26b099d33aa84421eb53186bcf6070b79e5e17adef38816cd82d0d
Instruction ID: a4284232c3d5620534d9205d8c27ffa105127e8976dad31e93bdc0d7ede0f324
Opcode Fuzzy Hash: 56df450c6b26b099d33aa84421eb53186bcf6070b79e5e17adef38816cd82d0d
Instruction Fuzzy Hash: EF219331904618DADB208F64DC84EEE7FB8FF56320F108616F919EB180E7709985CF50

Function 00590930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00590951
GetForegroundWindow.USER32 ref: 00590968
GetDC.USER32(00000000), ref: 005909A4
GetPixel.GDI32(00000000,?,00000003), ref: 005909B0
ReleaseDC.USER32(00000000,00000003), ref: 005909E8

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 04ef9c01de7544c68aa15d2e3ad33063e8de2b277dcde7cc869954cf848ff025
Instruction ID: 5b628a112ce0d0d5a01c5e1db127711a9e8f6c3e44d1a8b7dd4bb2a884670cdb
Opcode Fuzzy Hash: 04ef9c01de7544c68aa15d2e3ad33063e8de2b277dcde7cc869954cf848ff025
Instruction Fuzzy Hash: 8C218435600204AFEB04EF69C949AAEBFF9FF85700F048468E84AA7352DB30EC44DB50

Function 0054CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0054CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0054CDE9

Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0054CE0F
_free.LIBCMT ref: 0054CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0054CE31

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 545b18b6b127e8176ad3c53acd7e9dd6057982efdb3e185bc1f9b7c70cee9ebe
Instruction ID: ff3b122b98d15f41fd89ee0a481dabfdb451f0f5dca1c607a42411067adcf822
Opcode Fuzzy Hash: 545b18b6b127e8176ad3c53acd7e9dd6057982efdb3e185bc1f9b7c70cee9ebe
Instruction Fuzzy Hash: 3E0184726032157F276216B66C8CDBB7D6DFEC7BA93150129F905C7201EF618D1291B0

Function 00529639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00529693
SelectObject.GDI32(?,00000000), ref: 005296A2
BeginPath.GDI32(?), ref: 005296B9
SelectObject.GDI32(?,00000000), ref: 005296E2

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 700be6cb469864f891a56b2127dd2869d07d1816ded742b45bc34b87be9aa036
Instruction ID: 9deb3f3eb4187ff1688620d40598047957678a1737c4e9376a05da9ae058af06
Opcode Fuzzy Hash: 700be6cb469864f891a56b2127dd2869d07d1816ded742b45bc34b87be9aa036
Instruction Fuzzy Hash: 7D21B331901759EBDB118F64EC48BAD3FA4BF22315F100215F450DA2F1D3706889EF98

Function 00575711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00575726
_memcmp.LIBVCRUNTIME ref: 00575744
_memcmp.LIBVCRUNTIME ref: 00575757
_memcmp.LIBVCRUNTIME ref: 0057576F
_memcmp.LIBVCRUNTIME ref: 00575787

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c18d710ded64dc96bc542cf3b5c065ebfa722cd7cb7082d48ba48316ec425213
Instruction ID: fcb6afef9bf14232aed0a2565e7e3c0099bc22d36e1514db90967f5f2333a981
Opcode Fuzzy Hash: c18d710ded64dc96bc542cf3b5c065ebfa722cd7cb7082d48ba48316ec425213
Instruction Fuzzy Hash: F001B5A1645A0ABBE20C5521AD86FBF7B5CFB613E4F008420FE0D9A241F7A1ED1093B4

Function 00542DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0053F2DE,00543863,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6), ref: 00542DFD
_free.LIBCMT ref: 00542E32
_free.LIBCMT ref: 00542E59
SetLastError.KERNEL32(00000000,00511129), ref: 00542E66
SetLastError.KERNEL32(00000000,00511129), ref: 00542E6F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 222cb225c39adcdd33f4807d537e79d17de2b20d3df9469607ada58ff5019b36
Instruction ID: 7094b51df13324a460dbb4d6c166e14bc6fde269b9d143d75abd364b87b12f74
Opcode Fuzzy Hash: 222cb225c39adcdd33f4807d537e79d17de2b20d3df9469607ada58ff5019b36
Instruction Fuzzy Hash: 9A01263210562267871263752C49DFB3E6DBBE13ACFA04426F41593192EE708C149020

Function 0057000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?,?,0057035E), ref: 0057002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?), ref: 00570064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0056FF41,80070057,?,?), ref: 00570070

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 6537f40b0cda1fb16244e354d73a21bc9fd15649829f3c76dd819279baac11ba
Instruction ID: 693e5b2af9e0729885dc1859e284c5da0ef7a492c6ca17c16235ec61ae867d90
Opcode Fuzzy Hash: 6537f40b0cda1fb16244e354d73a21bc9fd15649829f3c76dd819279baac11ba
Instruction Fuzzy Hash: 46018B72600205FFDB104F69EC08BAA7EEDFB547A2F14A124F909D2250EB75DD44BBA0

Function 0057E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0057E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0057E9A5
Sleep.KERNEL32(00000000), ref: 0057E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0057E9B7
Sleep.KERNEL32 ref: 0057E9F3

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 3293825c91df3bfa04182e8f917a2a17ab8bd7763472831cac6621a360356396
Instruction ID: 1a027cc55a0d5889e96598723f7ee57a72e8a5a2f720b357d7223f34b26a0757
Opcode Fuzzy Hash: 3293825c91df3bfa04182e8f917a2a17ab8bd7763472831cac6621a360356396
Instruction Fuzzy Hash: 71015B72D01629DBCF009BE4E85AADDBF78BF1E301F004586E606B2241CB309559EB61

Function 005710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00571114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 0057112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00570B9B,?,?,?), ref: 00571136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0057114D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f6a2cf74d7a01e6596447bdf6e8af8dfe1c6b489c74989028028e8569a8ae2f5
Instruction ID: c6136f9fc9b8287e4255750945e0d6448a2bf261b42c9600f0abccdcd726c832
Opcode Fuzzy Hash: f6a2cf74d7a01e6596447bdf6e8af8dfe1c6b489c74989028028e8569a8ae2f5
Instruction Fuzzy Hash: 08011975200605BFDB114FA9EC49A6A3F6EFF8A3A0B604419FA45D7360DA31DD04EA60

Function 00570FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00570FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00570FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00570FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00570FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00571002

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c45069ca284d4fd7f6399ac621f8fbb70e8bc9340150943286064622f09ba86d
Instruction ID: fb6028b963192fc27c0e25af8a7c0bd5262cba8585d98445d484def58dba836d
Opcode Fuzzy Hash: c45069ca284d4fd7f6399ac621f8fbb70e8bc9340150943286064622f09ba86d
Instruction Fuzzy Hash: 7CF04935200701ABDB214FA9AC4DF5A3FADFF9A762F104415FA49C6251EE70DC54AA60

Function 00571014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0057102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00571036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0057104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571062

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d5f4b3ebc07cdc12eb6636ac184be9f7786526de063174e18f9b7b78d1e892d5
Instruction ID: 2fa8470c3eb9a693007dc5b96c8b49590f76c8b5d46856077688edcdbde6c1f6
Opcode Fuzzy Hash: d5f4b3ebc07cdc12eb6636ac184be9f7786526de063174e18f9b7b78d1e892d5
Instruction Fuzzy Hash: 9DF04935200701ABDB215FAAEC4DF5A3FADFF9A761F104415FA49C6250DE70D854AA60

Function 0058030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580324
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580331
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 0058033E
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 0058034B
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580358
CloseHandle.KERNEL32(?,?,?,?,0058017D,?,005832FC,?,00000001,00552592,?), ref: 00580365

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7834c3ed929462e4082d5966cb35c3af576849a463b1935eef56009c7957ac67
Instruction ID: 63279650871853044fdf335bb996c966c14b476cf46726462eed549cd631cf13
Opcode Fuzzy Hash: 7834c3ed929462e4082d5966cb35c3af576849a463b1935eef56009c7957ac67
Instruction Fuzzy Hash: 10019C72801B159FCB30AF66D880816FBF9BE602163159E3FD19662971CBB1A958DF80

Function 0054D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0054D752

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 0054D764
_free.LIBCMT ref: 0054D776
_free.LIBCMT ref: 0054D788
_free.LIBCMT ref: 0054D79A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ff0cb793a7fc2f9fd9ab885646695bfb0b7c8c4a8d3cc97eb3346557edd25968
Instruction ID: 13e23af86243c5d14f9ed30e9a6b8df4a749c514032d72bdaff7f8b76eb33a5f
Opcode Fuzzy Hash: ff0cb793a7fc2f9fd9ab885646695bfb0b7c8c4a8d3cc97eb3346557edd25968
Instruction Fuzzy Hash: 46F04F32541216AB8621EB65F9C5D967FFDFB44318BD40806F049D7502C734FC809670

Function 00575C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00575C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00575C6F
MessageBeep.USER32(00000000), ref: 00575C87
KillTimer.USER32(?,0000040A), ref: 00575CA3
EndDialog.USER32(?,00000001), ref: 00575CBD

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ac88b2363bdaaa7499b7834fec45fe70df19d3109fe8213ee3b6bd6814aee176
Instruction ID: fb1d42a86d788f89ca4a9de9a2f5bc9cf14a09e9d727cd8c61a7b81790096234
Opcode Fuzzy Hash: ac88b2363bdaaa7499b7834fec45fe70df19d3109fe8213ee3b6bd6814aee176
Instruction Fuzzy Hash: 88018630500B04ABEB215B14ED4EFA67FFCBB11B05F044559A587A20E1EBF0AD88AA90

Function 005422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005422BE

Part of subcall function 005429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000), ref: 005429DE
Part of subcall function 005429C8: GetLastError.KERNEL32(00000000,?,0054D7D1,00000000,00000000,00000000,00000000,?,0054D7F8,00000000,00000007,00000000,?,0054DBF5,00000000,00000000), ref: 005429F0

_free.LIBCMT ref: 005422D0
_free.LIBCMT ref: 005422E3
_free.LIBCMT ref: 005422F4
_free.LIBCMT ref: 00542305

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c8822d6c37e36ab73ffaa7e415839e841dacf6f40eb7b7a4ef2c2c89ac467505
Instruction ID: 6e6b9053c052ea30b8df7a7fa076dd89f6a959f781c5bc0cc975154efe4965d6
Opcode Fuzzy Hash: c8822d6c37e36ab73ffaa7e415839e841dacf6f40eb7b7a4ef2c2c89ac467505
Instruction Fuzzy Hash: 66F0B4784015B29B8A26AF56BC8188C3F74F738764F801107F058DA2B1C7710496FFE8

Function 005295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005295D4
StrokeAndFillPath.GDI32(?,?,005671F7,00000000,?,?,?), ref: 005295F0
SelectObject.GDI32(?,00000000), ref: 00529603
DeleteObject.GDI32 ref: 00529616
StrokePath.GDI32(?), ref: 00529631

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1de2066f372abafc33b299c12c1ac75a756c330819fcff9d7bc5cd86e80e004b
Instruction ID: 200df3aa9b78b2f16348f5e6e0a2d62ff1a6f020dfa8d45f27de7e33c17c2d95
Opcode Fuzzy Hash: 1de2066f372abafc33b299c12c1ac75a756c330819fcff9d7bc5cd86e80e004b
Instruction Fuzzy Hash: 11F04F31105A48EBDB1A5F65ED5C7683FA1BF22322F048214F4A5991F2CB348999FF28

Function 00540F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005410F9
__freea.LIBCMT ref: 00541117

Part of subcall function 00541537: _free.LIBCMT ref: 0054154F

Strings

a/p, xrefs: 005411DE
am/pm, xrefs: 0054117A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 80df0facff56a307b35277d354b267233c5c8cfe930299b035d27d01bf7ca494
Instruction ID: b3fb87df8b0c21aec00abaf69fc268ed9dd220c54b0c1d378f7e8fd52fd1d0f7
Opcode Fuzzy Hash: 80df0facff56a307b35277d354b267233c5c8cfe930299b035d27d01bf7ca494
Instruction Fuzzy Hash: 40D14835900A06DBCB288F68C859BFEBFB1FF05708F244919E9169B650D3759DC0CB99

Function 005961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00530242: EnterCriticalSection.KERNEL32(005E070C,005E1884,?,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053024D
Part of subcall function 00530242: LeaveCriticalSection.KERNEL32(005E070C,?,0052198B,005E2518,?,?,?,005112F9,00000000), ref: 0053028A

Part of subcall function 005300A3: __onexit.LIBCMT ref: 005300A9

__Init_thread_footer.LIBCMT ref: 00596238

Part of subcall function 005301F8: EnterCriticalSection.KERNEL32(005E070C,?,?,00528747,005E2514), ref: 00530202
Part of subcall function 005301F8: LeaveCriticalSection.KERNEL32(005E070C,?,00528747,005E2514), ref: 00530235

Part of subcall function 0058359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005835E4
Part of subcall function 0058359C: LoadStringW.USER32(005E2390,?,00000FFF,?), ref: 0058360A

Strings

x#^, xrefs: 0059636F
x#^, xrefs: 00596353
x#^, xrefs: 0059633A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#^$x#^$x#^
API String ID: 1072379062-3539263148
Opcode ID: 33e53f83f18dbc02615d90e85618936e7530082f503a82ad7f6f574b5a1e0b17
Instruction ID: b7042cb355b1f99f464c70204d58ead184cd3a5e64363a337f8234473ba18ccd
Opcode Fuzzy Hash: 33e53f83f18dbc02615d90e85618936e7530082f503a82ad7f6f574b5a1e0b17
Instruction Fuzzy Hash: 11C17B71A00106AFDF14DF98C895EAEBBB9FF48300F118469F945AB291DB70ED49CB90

Function 00545AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOQ, xrefs: 00545BA8, 00545C6C

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: JOQ
API String ID: 0-3921798060
Opcode ID: 406b47cefafd532f179173fe4036eb942f9cb2223270f1b6d72f8732076f18dd
Instruction ID: 6a2e05dfffb8997bfcb0bbf0ecc67ba69fdb86b8c7cd3d9f2bc7bf9880926ced
Opcode Fuzzy Hash: 406b47cefafd532f179173fe4036eb942f9cb2223270f1b6d72f8732076f18dd
Instruction Fuzzy Hash: CE51BE75D0060A9BCB259FA4CC89FEEBFB8FF45318F14045AF405A7292E6319D01DB61

Function 00548A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00548B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00548B7A
__dosmaperr.LIBCMT ref: 00548B81

Strings

.S, xrefs: 00548A63

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .S
API String ID: 2434981716-1539595904
Opcode ID: b00082088acc37bbf87162f7e33cde85b6b5a706494779aad554395f90418ada
Instruction ID: 61160430dc0af42a2c6ce47f131ebf2d9356acf99187ec2df56aaa95f0567b98
Opcode Fuzzy Hash: b00082088acc37bbf87162f7e33cde85b6b5a706494779aad554395f90418ada
Instruction Fuzzy Hash: 40419D70604045AFCB249F25CC84AFD7FE5FB8631CF2885AAF8958B242DE71CC429790

Function 00572716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0057B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005721D0,?,?,00000034,00000800,?,00000034), ref: 0057B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00572760

Part of subcall function 0057B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0057B3F8

Part of subcall function 0057B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0057B355
Part of subcall function 0057B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00572194,00000034,?,?,00001004,00000000,00000000), ref: 0057B365
Part of subcall function 0057B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00572194,00000034,?,?,00001004,00000000,00000000), ref: 0057B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0057281A

Strings

@, xrefs: 00572832

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 064dbbebfd5c402402e3f11513dd621facdad38784f15445ffb929dc226f0c2f
Instruction ID: b7b3cf812bcab17bab430310755f0f5b6b993fc0ed95593300527fad4b2626ab
Opcode Fuzzy Hash: 064dbbebfd5c402402e3f11513dd621facdad38784f15445ffb929dc226f0c2f
Instruction Fuzzy Hash: 9A416D72900219AFDB10DBA4DD45BDEBBB8FF45300F108099FA59B7181DB706E85DBA1

Function 0054172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00541769
_free.LIBCMT ref: 00541834
_free.LIBCMT ref: 0054183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00541760, 00541767, 00541796, 005417CE

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: c3dabe951961c290b38f4da2b5183c950e0ba6acc4b0ccf358698997783da43a
Instruction ID: eeee8538d5b81146783530cfec5b4309f3ba51fceb5c8e64b119fbbb5fd5db2b
Opcode Fuzzy Hash: c3dabe951961c290b38f4da2b5183c950e0ba6acc4b0ccf358698997783da43a
Instruction Fuzzy Hash: 5331BC75A00A58ABDB25DB9A9C84DDEBFFCFB95314F104166F8049B211D6708A80DB98

Function 0057C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0057C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0057C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005E1990,00DA6368), ref: 0057C395

Strings

0, xrefs: 0057C2DF

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 03565f18d6f4bf437eb29874ece6787541dfd90247eec257be14d44aeb22ef59
Instruction ID: 82bc2f369544b9245633c3bd4eff52f0b4197526ff05008ff2d93bf76aac84ee
Opcode Fuzzy Hash: 03565f18d6f4bf437eb29874ece6787541dfd90247eec257be14d44aeb22ef59
Instruction Fuzzy Hash: A1418E712043029FD720DF25E884B5ABFE4BF85320F14CA1DF9A9972D1D730A904EB62

Function 005A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005ACC08,00000000,?,?,?,?), ref: 005A44AA
GetWindowLongW.USER32 ref: 005A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A44D7

Strings

SysTreeView32, xrefs: 005A447C

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7d29528cef674264b84be62b0e111c28e55fdb622321f230796781f3db644e79
Instruction ID: 4873749e4507687ffc0272da20159f5b84f6073fe35ad84ddef6095fe723cada
Opcode Fuzzy Hash: 7d29528cef674264b84be62b0e111c28e55fdb622321f230796781f3db644e79
Instruction Fuzzy Hash: B9315C31210606AFDF219EB8DC45BEA7FA9FB8A334F204725F975921D0D7B0AC519B50

Function 00576E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00576EED
VariantCopyInd.OLEAUT32(?,?), ref: 00576F08
VariantClear.OLEAUT32(?), ref: 00576F12

Strings

*jW, xrefs: 00576E8B, 00576E90, 00576EF8

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jW
API String ID: 2173805711-2693160286
Opcode ID: e222dacec7af85bcd0789438c73db7ac1fa2fcd13b4296e363e227b78d300cf1
Instruction ID: 44ee51ad280366b0a565b4ed83e78f19bbb2caa039ebc39a47f9f52f1951dfdd
Opcode Fuzzy Hash: e222dacec7af85bcd0789438c73db7ac1fa2fcd13b4296e363e227b78d300cf1
Instruction Fuzzy Hash: BB31B371604606DFDB04AF64F8949BD3F76FF85300B104898F9064B2A1D7309D91EBA4

Function 0059304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0059335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00593077,?,?), ref: 00593378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0059307A
_wcslen.LIBCMT ref: 0059309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00593106

Strings

255.255.255.255, xrefs: 00593095, 0059309A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 78dd40aee28c6856205b5010857949670ddff2b7c8a1631a27753eb08665188b
Instruction ID: b7988a32a94d354688cc7802369c09e2f709e1e9885909f3bd948fcabf683d35
Opcode Fuzzy Hash: 78dd40aee28c6856205b5010857949670ddff2b7c8a1631a27753eb08665188b
Instruction Fuzzy Hash: 2A31B039600202DFCB20CF68C589AAA7FE0FF55318F248459E9158B3A2DB32EE45D760

Function 005A3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 005A3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 005A3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 005A3F78

Strings

SysMonthCal32, xrefs: 005A3F0B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 2db68bca5e85e011ed30beace7a4883aba6c94eb163cba0bbcd0c4bf80321056
Instruction ID: e7ee3663323e87410043af921f0bd097f3c6a28c7a2e337e57ddaf431d6ceaab
Opcode Fuzzy Hash: 2db68bca5e85e011ed30beace7a4883aba6c94eb163cba0bbcd0c4bf80321056
Instruction Fuzzy Hash: A821AD32610219BFDF218E54CC46FEE3F79FB89718F110215FA156B190D6B5A894DB90

Function 005A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005A471A

Strings

msctls_updown32, xrefs: 005A4684

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b97b30fca7c9fa717f541dffe9d8cca0d32186fd61603e6af52a40dd884655f9
Instruction ID: c91d114d8811ffbe7e007e7097770fd6d48f963bac30f61831a6da48671c38db
Opcode Fuzzy Hash: b97b30fca7c9fa717f541dffe9d8cca0d32186fd61603e6af52a40dd884655f9
Instruction Fuzzy Hash: E72151B5600249AFDB10DF68DCC5DBB3BADFB9B394B040459FA019B261DB70EC51DA60

Function 005795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0057961D

Strings

#requireadmin, xrefs: 005795D9
#OnAutoItStartRegister, xrefs: 005795F3
#notrayicon, xrefs: 005795B7

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 3e55d52ba33bbedbd9d4ca7f71ee8d94e6a06e8ccc80092ef12fc9aaf2b1f241
Instruction ID: cd10c6d01f152332f5155d5cf581eff24f34541b12618ff2b35ce0a908ff0897
Opcode Fuzzy Hash: 3e55d52ba33bbedbd9d4ca7f71ee8d94e6a06e8ccc80092ef12fc9aaf2b1f241
Instruction Fuzzy Hash: 9921087210462266D331AA29AC06FBB7FACBFD5310F148426F94D97181EB51AD81E3F5

Function 005A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005A3876

Strings

Listbox, xrefs: 005A380F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ac3c9b42013912ca22de0ad213a1a1cf7f631d677117bae5d8fa9a5fb8b1e451
Instruction ID: 16ab0d73d7ec5fdddcefd8e1ad1e02aa67a76108507ea7a7b151b4ba6b84a5f6
Opcode Fuzzy Hash: ac3c9b42013912ca22de0ad213a1a1cf7f631d677117bae5d8fa9a5fb8b1e451
Instruction Fuzzy Hash: 3521BE72600219BBEB218F64CC85EBF3B6EFF8A754F108125F9009B190CA75DD528BA0

Function 005849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00584A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00584A5C
SetErrorMode.KERNEL32(00000000,?,?,005ACC08), ref: 00584AD0

Strings

%lu, xrefs: 00584A6F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 68cff9678ffcb0c9caef91b0f2b0e22263f4b529ac0c212f710bf53590214787
Instruction ID: 0037eeb0ff125ed1899e4654c4d0db9e6e06dd6a80b791260e61ed13296bf692
Opcode Fuzzy Hash: 68cff9678ffcb0c9caef91b0f2b0e22263f4b529ac0c212f710bf53590214787
Instruction Fuzzy Hash: C7314B75A00209AFDB10DF54C885EAA7FF9FF49308F1480A5E909EB252DB71EE45CB61

Function 005A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005A4271

Strings

msctls_trackbar32, xrefs: 005A4226

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 8d912a7132a55813900e5a631ffeac11ee593ad80096fec63b8d9d7627b5ce59
Instruction ID: 641ec9e6f322ed538e558a8222291f584a4bb7f2c0851ce90431f072bffea93b
Opcode Fuzzy Hash: 8d912a7132a55813900e5a631ffeac11ee593ad80096fec63b8d9d7627b5ce59
Instruction Fuzzy Hash: 8011A331240248BEEF205E69CC46FAB3FACFFD6B54F110525FA55E6090D6B1DC519B50

Function 00572F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

Part of subcall function 00572DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00572DC5
Part of subcall function 00572DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00572DD6
Part of subcall function 00572DA7: GetCurrentThreadId.KERNEL32 ref: 00572DDD
Part of subcall function 00572DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00572DE4

GetFocus.USER32 ref: 00572F78

Part of subcall function 00572DEE: GetParent.USER32(00000000), ref: 00572DF9

GetClassNameW.USER32(?,?,00000100), ref: 00572FC3
EnumChildWindows.USER32(?,0057303B), ref: 00572FEB

Strings

%s%d, xrefs: 00572FFF

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 7e13d4eee0aeb51ca3cd6c13c07e89be3ce19a6521083f4445ffc6e30d7a030b
Instruction ID: 0284a40ecf1a234bd9a447240347ce344aa19da3ef18e3bce9d07fb704a45c16
Opcode Fuzzy Hash: 7e13d4eee0aeb51ca3cd6c13c07e89be3ce19a6521083f4445ffc6e30d7a030b
Instruction Fuzzy Hash: 9D11A2716002066BDF14BF74AC89EED3F6ABFD5314F048075B90D9B292DE30994AAB60

Function 005A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005A58EE
DrawMenuBar.USER32(?), ref: 005A58FD

Strings

0, xrefs: 005A588F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 6bcd8ea499c392a5edc5726ee8ca194be9d52e9e116e645ad74ebc1620751f33
Instruction ID: c7d871573c25bb420818d4a14f52760362fc881f762fb8be5d11e86f48b69884
Opcode Fuzzy Hash: 6bcd8ea499c392a5edc5726ee8ca194be9d52e9e116e645ad74ebc1620751f33
Instruction Fuzzy Hash: FD010C31500219EEDB619F11E844FAFBFB8BF46361F1484A9F849DA151EB308A94EF21

Function 0056D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0056D3BF
FreeLibrary.KERNEL32 ref: 0056D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0056D3B9
X64, xrefs: 0056D2A8

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: e9d0d174f390c45b71d9cd920f70244f378d3083ec3cd8479706207018db8902
Instruction ID: 0b90b13ec85af04db34f9c90fd8d29fe54aa680639c52263857bdf243e7d459b
Opcode Fuzzy Hash: e9d0d174f390c45b71d9cd920f70244f378d3083ec3cd8479706207018db8902
Instruction Fuzzy Hash: CDF055B5F05A208BC77102115C2896D3FB0BF12701BA88D26E802EB244EB20CC44C2B2

Function 0057007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8578f3d0aac6b0e00a43cb10c0aa0e71d98254ee7c952f1ab8b223c4d1836df
Instruction ID: a66f30f55023ea489b0ddf1a63732a3597511ff16080eb6116a363c08c1efad8
Opcode Fuzzy Hash: e8578f3d0aac6b0e00a43cb10c0aa0e71d98254ee7c952f1ab8b223c4d1836df
Instruction Fuzzy Hash: 29C16D75A00216EFCB14CF94D898AAEBBF5FF48314F209598E509EB291D731DD41EB90

Function 0059342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00593459
CoUninitialize.OLE32 ref: 00593463
VariantInit.OLEAUT32(?), ref: 0059346E
VariantClear.OLEAUT32(?), ref: 0059371B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 60f024b417318b33880e3f4025eafc44358c8a7a8db3dd3ca70887c17f494415
Instruction ID: 668b0a821a1b4d8ff13a3f0aec4b6cc11244cac9605a81a188f9f9832a3beae0
Opcode Fuzzy Hash: 60f024b417318b33880e3f4025eafc44358c8a7a8db3dd3ca70887c17f494415
Instruction Fuzzy Hash: DFA14975204201DFDB10DF28C489A6ABBE5FF8D714F058859F98A9B362DB30EE45CB91

Function 00570436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005AFC08,?), ref: 005705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005AFC08,?), ref: 00570608
CLSIDFromProgID.OLE32(?,?,00000000,005ACC40,000000FF,?,00000000,00000800,00000000,?,005AFC08,?), ref: 0057062D
_memcmp.LIBVCRUNTIME ref: 0057064E

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: cad1f59382c62924ea53cf19128c96f0ab7c43fe6dfb078b7315cadeade281ed
Instruction ID: 853643bb8abe0d859517d7a55ba91d36adbb0d36eb3dce13e5160036971bdeca
Opcode Fuzzy Hash: cad1f59382c62924ea53cf19128c96f0ab7c43fe6dfb078b7315cadeade281ed
Instruction Fuzzy Hash: 27811C71A00109EFCB04DF94C988DEEBBF9FF89315F108558E506AB290DB71AE06DB60

Function 0059A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0059A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0059A6BA

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Process32NextW.KERNEL32(00000000,?), ref: 0059A79C
CloseHandle.KERNEL32(00000000), ref: 0059A7AB

Part of subcall function 0052CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00553303,?), ref: 0052CE8A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 8d242395d2a56be87e52751e2e6e6f82af076cf84bb89c48c452d67cbdaab91b
Instruction ID: 0f7578123f3f8661b9f3d33fd859809fff861ad850c5157a9e63722a22c109ae
Opcode Fuzzy Hash: 8d242395d2a56be87e52751e2e6e6f82af076cf84bb89c48c452d67cbdaab91b
Instruction Fuzzy Hash: 8E512B71508311AFD710EF24D88AAABBBE8FFC9754F00491DF59597291EB30E944CBA2

Function 00551391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005514C0

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: df1e7caa6d202a2e146bf385ad30c169bc3e72c771be97b682aa503b4c66b550
Instruction ID: 45c1923008adaf492b3dc735f0795fb6801f190f85a5fd9c959c5b60691cc93d
Opcode Fuzzy Hash: df1e7caa6d202a2e146bf385ad30c169bc3e72c771be97b682aa503b4c66b550
Instruction Fuzzy Hash: 1B416935A00902EBDF216BB98C5ABAF3FA4FF81371F140627FC19C6192F67448495765

Function 005A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005A62E2
ScreenToClient.USER32(?,?), ref: 005A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 005A6382

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 52ec338d578cd0c20444c3495194bd77716a393a8eaf88a09e74580a5eab00b8
Instruction ID: 1750203f7b1eaf19aaf35c07f46c79752b1c70fb1ba27bb79646e6d86bf0eadb
Opcode Fuzzy Hash: 52ec338d578cd0c20444c3495194bd77716a393a8eaf88a09e74580a5eab00b8
Instruction Fuzzy Hash: 2D514A74A00249EFCF14DF68D880AAE7BB5FF96360F14856AF8159B290D730ED81DB90

Function 00591AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00591AFD
WSAGetLastError.WSOCK32 ref: 00591B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00591B8A
WSAGetLastError.WSOCK32 ref: 00591B94

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: d386b4f7722a9fc0b3e674156dc7e61f4f639ac5e84bb701d39eff38a64f1088
Instruction ID: ed1b5fd3ae5a4b8d786e99ed45286a4aa5f3ed9e37243dcd300ca3a35e9a8f94
Opcode Fuzzy Hash: d386b4f7722a9fc0b3e674156dc7e61f4f639ac5e84bb701d39eff38a64f1088
Instruction Fuzzy Hash: 2441A1346406126FEB20AF24C88AF657BE6BF85718F548448F5169F3D2D772ED828B90

Function 0054B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7603d5051b786705936bdacf40334e1075eeceb1d4241edf7a44a93e8efea392
Instruction ID: f48dd1b68af5ac0b5d65c0a7d208a9d4479702f63bf4235af218ce3b1c1782fe
Opcode Fuzzy Hash: 7603d5051b786705936bdacf40334e1075eeceb1d4241edf7a44a93e8efea392
Instruction Fuzzy Hash: 2A41E675A00705AFEB249F38CC46BEABFA9FBC8714F10452AF555DB682D771D9018780

Function 005856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00585783
GetLastError.KERNEL32(?,00000000), ref: 005857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005857FA

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b56dcd06be71e784add282c570a71e1f1363500182236f832993702df914d5a6
Instruction ID: 97622cd1184923acccc44fbc011619ff12179e0308cad823a8e074549deb3814
Opcode Fuzzy Hash: b56dcd06be71e784add282c570a71e1f1363500182236f832993702df914d5a6
Instruction Fuzzy Hash: 5C410839600611DFDB11EF15C449A5EBFF2BF89320B198488E84AAB362DB30FD41DB91

Function 0054D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00536D71,00000000,00000000,005382D9,?,005382D9,?,00000001,00536D71,?,00000001,005382D9,005382D9), ref: 0054D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0054D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0054D9AB
__freea.LIBCMT ref: 0054D9B4

Part of subcall function 00543820: RtlAllocateHeap.NTDLL(00000000,?,005E1444,?,0052FDF5,?,?,0051A976,00000010,005E1440,005113FC,?,005113C6,?,00511129), ref: 00543852

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 580bf88760472203997ed1162c675482d3fdf208579fbfb91a578e2191407046
Instruction ID: dc9ba10fea6b5aaf33a3f7abd3d426312178b81510ae4826cd85b99abcd707ec
Opcode Fuzzy Hash: 580bf88760472203997ed1162c675482d3fdf208579fbfb91a578e2191407046
Instruction Fuzzy Hash: 6E31A872A0020AABDF248F64DC49AEE7FB5FB41354F050169EC04D62A0EB358D54CBA0

Function 005A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 005A5352
GetWindowLongW.USER32(?,000000F0), ref: 005A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005A53A8

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 74731ac663ca00aec47cdf147cc1082140f03bd06720b5b4c25fdb16dda904ee
Instruction ID: 25cbc3b5dc07b2c93bd2823fcccbc58678022017fe9f4e6f55f5a47f6e17b9a6
Opcode Fuzzy Hash: 74731ac663ca00aec47cdf147cc1082140f03bd06720b5b4c25fdb16dda904ee
Instruction Fuzzy Hash: 3331C134A55A08EFEF249E14CC45FEC3F65BB96390F984803FA11961E1E7B09940AB41

Function 0057AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0057ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0057AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0057AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0057ACC6

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 70d1605154a81490c527c4639d5994a4193afb5e76bfdd890b407a326cd9d707
Instruction ID: 48b198dd83313fb857cdd5a0f827b44f9b8d15db2bf5d32bf5664fbce874f750
Opcode Fuzzy Hash: 70d1605154a81490c527c4639d5994a4193afb5e76bfdd890b407a326cd9d707
Instruction Fuzzy Hash: A631E730A00618BFFF26CB65A809BFE7EA9BBC5310F04C61AF489561D1C3758D85A752

Function 005A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005A769A
GetWindowRect.USER32(?,?), ref: 005A7710
PtInRect.USER32(?,?,005A8B89), ref: 005A7720
MessageBeep.USER32(00000000), ref: 005A778C

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: bca1ddb3d3754f72d57eb063424e8c0488189e73f960527e9d4657b79a9a7384
Instruction ID: 027ccd4b9684eaa5016031f3e9ebcee76028b9eb94039745946855cd2a3821d0
Opcode Fuzzy Hash: bca1ddb3d3754f72d57eb063424e8c0488189e73f960527e9d4657b79a9a7384
Instruction Fuzzy Hash: 3E418738A096599FCB01CF58CC94EADBFF4FB9E300F1940A8E854DB261C730A985DB90

Function 005A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005A16EB

Part of subcall function 00573A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00573A57
Part of subcall function 00573A3D: GetCurrentThreadId.KERNEL32 ref: 00573A5E
Part of subcall function 00573A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005725B3), ref: 00573A65

GetCaretPos.USER32(?), ref: 005A16FF
ClientToScreen.USER32(00000000,?), ref: 005A174C
GetForegroundWindow.USER32 ref: 005A1752

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 5391be74a83a66b3b512acd3c74d2ba2f998e340167ace881ce08b96ff4f5cc6
Instruction ID: 697dcada456007c4ff9dd02e4da64457bfeb40fe9f98f048e87ef06e840727e9
Opcode Fuzzy Hash: 5391be74a83a66b3b512acd3c74d2ba2f998e340167ace881ce08b96ff4f5cc6
Instruction Fuzzy Hash: 50310C75D00249AFDB04EFA9C8858EEBBF9FF89304B5480A9E415A7211D6319E45CBA0

Function 0057DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625

_wcslen.LIBCMT ref: 0057DFCB
_wcslen.LIBCMT ref: 0057DFE2
_wcslen.LIBCMT ref: 0057E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0057E018

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 2a01d29b4b3491e51b25cf5115672d96b0942d41372cbf9f50e4f8ed145cd514
Instruction ID: 977b0fb6d3af7ceae3b1dd00e9f153b75efac3332a998a1588336c4b0868902d
Opcode Fuzzy Hash: 2a01d29b4b3491e51b25cf5115672d96b0942d41372cbf9f50e4f8ed145cd514
Instruction Fuzzy Hash: 0421A871900215AFCB119F98E986BAE7FF8FF89750F144065E805BB241D6709D408BA1

Function 005A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

GetCursorPos.USER32(?), ref: 005A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00567711,?,?,?,?,?), ref: 005A9016
GetCursorPos.USER32(?), ref: 005A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00567711,?,?,?), ref: 005A9094

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: b27de6c6acbec6156de4e9a1ab71f2b631d74f07c9319cb743fd2d600a2bce84
Instruction ID: 78e1e6217114ea4b349123317358e3a9b9251f61f825ac4805193c2b6f17d459
Opcode Fuzzy Hash: b27de6c6acbec6156de4e9a1ab71f2b631d74f07c9319cb743fd2d600a2bce84
Instruction Fuzzy Hash: FB217F35600128EFDB298F94D898EEE7FB9FF8B390F144055F9058B2A1C7319990EB60

Function 0057D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,005ACB68), ref: 0057D2FB
GetLastError.KERNEL32 ref: 0057D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0057D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005ACB68), ref: 0057D376

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 76388cb94e18f9081e65437e31167cb6815e4a75b097ef71fbd79a80eea411c8
Instruction ID: dd30ee54f9184e214da932fee3480280e124b6e1bb3a7ee98d63dbb2bdbe9ca2
Opcode Fuzzy Hash: 76388cb94e18f9081e65437e31167cb6815e4a75b097ef71fbd79a80eea411c8
Instruction Fuzzy Hash: AF2180745042029FC700DF28D8858AA7FF4BE96324F508E1DF499C32A1DB319949DBA3

Function 00571571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00571014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0057102A
Part of subcall function 00571014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00571036
Part of subcall function 00571014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571045
Part of subcall function 00571014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0057104C
Part of subcall function 00571014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00571062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005715BE
_memcmp.LIBVCRUNTIME ref: 005715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00571617
HeapFree.KERNEL32(00000000), ref: 0057161E

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3debf4159c497cb798911d18c69181ca6e1f79f5b250571d347ac980f4d9a70e
Instruction ID: d5148ed50c7442a1c90b073f158862b54e62c827c84e81460b17fbc756df0d60
Opcode Fuzzy Hash: 3debf4159c497cb798911d18c69181ca6e1f79f5b250571d347ac980f4d9a70e
Instruction Fuzzy Hash: 9D219C31E00509AFDF14DFA8D948BEEBBB8FF40344F188459E445AB241E730AA04EB54

Function 005A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 005A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005A2840

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 9b93295ffbbfb3882e3d93bc96ff2be45b59afdc10db5d78e62b1e771eebfceb
Instruction ID: 529f2b07e0fae0fc4c9482cf087dd956be51e61ec344ad3607c5499105e7dddb
Opcode Fuzzy Hash: 9b93295ffbbfb3882e3d93bc96ff2be45b59afdc10db5d78e62b1e771eebfceb
Instruction Fuzzy Hash: AA21A435604512AFE7149B28C846FAA7F95FF86324F148158F4268B6D2CB75FD82CB90

Function 005778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00578D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0057790A,?,000000FF,?,00578754,00000000,?,0000001C,?,?), ref: 00578D8C
Part of subcall function 00578D7D: lstrcpyW.KERNEL32(00000000,?,?,0057790A,?,000000FF,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00578DB2
Part of subcall function 00578D7D: lstrcmpiW.KERNEL32(00000000,?,0057790A,?,000000FF,?,00578754,00000000,?,0000001C,?,?), ref: 00578DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00577923
lstrcpyW.KERNEL32(00000000,?,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00577949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00578754,00000000,?,0000001C,?,?,00000000), ref: 00577984

Strings

cdecl, xrefs: 0057797B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e23b12a75f9845e3deaed9b515920361954fe29019ab30bdba5a485bd0c2166a
Instruction ID: c69ba510e992c9c8427f7d54099250042fd95d3cfc8c97201ea3779e63ac3bd1
Opcode Fuzzy Hash: e23b12a75f9845e3deaed9b515920361954fe29019ab30bdba5a485bd0c2166a
Instruction Fuzzy Hash: E011EC3A201706AFCB155F34F849D7B7BA9FF99350B50802AF946C72A4EF319811E791

Function 005A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 005A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 005A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0058B7AD,00000000), ref: 005A7D6B

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 86bcf2e8cfd4c51e5233cfbd640f5c5ac2670f4a353a542956bdc9cb07b2583f
Instruction ID: 672f9737c3e61cf425cb86d38485de579685e2f804bc9b47d9c63c41427d65e7
Opcode Fuzzy Hash: 86bcf2e8cfd4c51e5233cfbd640f5c5ac2670f4a353a542956bdc9cb07b2583f
Instruction Fuzzy Hash: 7611AF32604669AFCB149F28CC04AAA3FA5BF4B360B154724F839DB2F0E7309D55DB90

Function 005A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 005A56BB
_wcslen.LIBCMT ref: 005A56CD
_wcslen.LIBCMT ref: 005A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 005A5816

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e992f3e23b6a9c6ffbb7e171d4bece51ceea896cc28284fccf73fd481f471708
Instruction ID: 4bcfde3f289dc3d914e2ea0f8c620b45377d4e0ceca0dd4ffae8d9c544bfb49c
Opcode Fuzzy Hash: e992f3e23b6a9c6ffbb7e171d4bece51ceea896cc28284fccf73fd481f471708
Instruction Fuzzy Hash: F611B1716006099ADF20DF658C85EEE7FACFF56760F104426F915DA081FB709A84CBA0

Function 00541D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c945650ae56d52bab73b988a80731a9a6c8ca0631b4f71988971d249b43781f
Instruction ID: 25ddca58d5f73cbe4e0f60a765f8d1d94f8bdab3b11431305e66d46c9fb772a6
Opcode Fuzzy Hash: 7c945650ae56d52bab73b988a80731a9a6c8ca0631b4f71988971d249b43781f
Instruction Fuzzy Hash: BF017CF2A05A167EF61116786CC4FA76E2DFF913BCB341325B531511D2DB608C809164

Function 00571A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00571A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00571A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00571A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00571A8A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0e31a196838b77742f68b178ae0ac22c09f554d10720ad6bf42074adf9516f73
Instruction ID: 0577911197ff0d9eda2f5f1547808625cc7fdeb60b4ac0123afe4dfc1f0706d7
Opcode Fuzzy Hash: 0e31a196838b77742f68b178ae0ac22c09f554d10720ad6bf42074adf9516f73
Instruction Fuzzy Hash: 5D113C3AD01219FFEB10DBA8CD85FADBB78FB04750F204091E605B7290D6716E50EB94

Function 0057E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0057E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0057E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0057E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0057E24D

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 44bb02ebff3f51d0f81813ce3abf94dedf1ecfccc55a93e6e85c111484fe78b0
Instruction ID: 7a3988581c14abb129092fbf58bd38d92f583a2ca32feb2387fa17234d5a64a6
Opcode Fuzzy Hash: 44bb02ebff3f51d0f81813ce3abf94dedf1ecfccc55a93e6e85c111484fe78b0
Instruction Fuzzy Hash: 2F112B76A04354BBC7059FA8EC4AA9F7FADEB5A310F008655F819D7291D670CD0897A0

Function 0053D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0053CFF9,00000000,00000004,00000000), ref: 0053D218
GetLastError.KERNEL32 ref: 0053D224
__dosmaperr.LIBCMT ref: 0053D22B
ResumeThread.KERNEL32(00000000), ref: 0053D249

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 4a4ffae62088c53692ce58d9f1487e89508639edc2905e7017118c0ec1cd82db
Instruction ID: d45ad4c648fb10770a3f34014536dc83df1b13599ed28869aad4c22a23baeec2
Opcode Fuzzy Hash: 4a4ffae62088c53692ce58d9f1487e89508639edc2905e7017118c0ec1cd82db
Instruction Fuzzy Hash: 8B01C03A805205BBCB215BA5EC09AAB7F79FF82731F100219F925921D0DF718905D7B0

Function 005A9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00529BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00529BB2

GetClientRect.USER32(?,?), ref: 005A9F31
GetCursorPos.USER32(?), ref: 005A9F3B
ScreenToClient.USER32(?,?), ref: 005A9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 005A9F7A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5578a038687e2f0bff2ea6d5d4f21dc66948c0897484569aacecb09d2e02025b
Instruction ID: a50df258e063769a48acc863b38afd84b48810f2e0fc5f85807bdbf2e47dc4d0
Opcode Fuzzy Hash: 5578a038687e2f0bff2ea6d5d4f21dc66948c0897484569aacecb09d2e02025b
Instruction Fuzzy Hash: 9711333290026AAFDF15DFA8D8899EE7BB9FB46311F000455FA02E3140D330BA85DBA1

Function 0051600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0051604C
GetStockObject.GDI32(00000011), ref: 00516060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0051606A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 30323eebe2589afb3f6ad0efc8e340db9e3cd52195892856385bb894bc6ba083
Instruction ID: b107be61bab182dbec4d44bf95da99212bad452a61abb8ec84958de889274cc6
Opcode Fuzzy Hash: 30323eebe2589afb3f6ad0efc8e340db9e3cd52195892856385bb894bc6ba083
Instruction Fuzzy Hash: A611AD72501508BFEF129FA48C48EEABFA9FF1D3A4F000206FA0556110C7329CA0EBA1

Function 00533B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00533B56

Part of subcall function 00533AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00533AD2
Part of subcall function 00533AA3: ___AdjustPointer.LIBCMT ref: 00533AED

_UnwindNestedFrames.LIBCMT ref: 00533B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00533B7C
CallCatchBlock.LIBVCRUNTIME ref: 00533BA4

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: f06acc09e4593976fed23c5dc7da80649af29af9ef4ed75e1183013d4221a169
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: CC01E932100149BBDF125E95CC4AEEB7F69FF98754F044014FE4866121C736E961DBA0

Function 00543073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005113C6,00000000,00000000,?,0054301A,005113C6,00000000,00000000,00000000,?,0054328B,00000006,FlsSetValue), ref: 005430A5
GetLastError.KERNEL32(?,0054301A,005113C6,00000000,00000000,00000000,?,0054328B,00000006,FlsSetValue,005B2290,FlsSetValue,00000000,00000364,?,00542E46), ref: 005430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0054301A,005113C6,00000000,00000000,00000000,?,0054328B,00000006,FlsSetValue,005B2290,FlsSetValue,00000000), ref: 005430BF

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 44481e7845afbf6406d13e7582b9270bbef0e4905ff1adf5a953710904a22a5a
Instruction ID: f2fed4ac56fc8efa5cff5c1b14f288658ecd53835b938a4d63b369a4f0a037f9
Opcode Fuzzy Hash: 44481e7845afbf6406d13e7582b9270bbef0e4905ff1adf5a953710904a22a5a
Instruction Fuzzy Hash: B4012B36301622ABCB314B789C4CA977FD8BF16B65B200720F90DE7160D721DD09C6E0

Function 00577464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0057747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00577497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005774CA

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2196ade24e098f3051b76bb2e59be5ba11d3f95ddb171f1d1f0995e41220346c
Instruction ID: b428db24a8e2cfd7b177b09b814ab7e5dd40fe082681dfb19efc57fad476ba2b
Opcode Fuzzy Hash: 2196ade24e098f3051b76bb2e59be5ba11d3f95ddb171f1d1f0995e41220346c
Instruction Fuzzy Hash: 2D115EB52053199BEB208F24FC09F927FFDFB08B04F10C969A66AD6151D7B0E908EB50

Function 0057B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0057ACD3,?,00008000), ref: 0057B126

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b169ba9a6fa6bb47b6f596badd9c1977d522f5af8ac7ca63f8567c3d9dd268cc
Instruction ID: 526469fef58ce4f13997d9a2c1d5ba6b1fd7f46e53ea40b979a20e7d06872028
Opcode Fuzzy Hash: b169ba9a6fa6bb47b6f596badd9c1977d522f5af8ac7ca63f8567c3d9dd268cc
Instruction Fuzzy Hash: 75117930E01529E7DF00AFE4E9A8BEEBF78FF5A311F008486D945B2181CB305655EB51

Function 005A7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005A7E33
ScreenToClient.USER32(?,?), ref: 005A7E4B
ScreenToClient.USER32(?,?), ref: 005A7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005A7E8A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1e280e3c56aff32b69bdec5bdec9877c5820dc004cf936003eb9f78ae03001e2
Instruction ID: 60e71a56bc2d3062af58670129db9526be670adbc4404685b15ec6916335ba2f
Opcode Fuzzy Hash: 1e280e3c56aff32b69bdec5bdec9877c5820dc004cf936003eb9f78ae03001e2
Instruction Fuzzy Hash: 7D1143B9D0020AAFDB41CFA8C8849EEBBF9FB19310F505056E915E3210D735AA54DF90

Function 00572DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00572DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00572DD6
GetCurrentThreadId.KERNEL32 ref: 00572DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00572DE4

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 344b7d775e18aee94c14438d19be04ade4602f15936627034996f612069c5f11
Instruction ID: 95905d093804b29c87b2925ec2f55ab28fb7749f35a8b20dd49f0099a903da29
Opcode Fuzzy Hash: 344b7d775e18aee94c14438d19be04ade4602f15936627034996f612069c5f11
Instruction Fuzzy Hash: 38E092B16012347BD7305B76AC0DFEB3E6CFF63BA1F004015F109D20809AA0C845E6B0

Function 005A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00529639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00529693
Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296A2
Part of subcall function 00529639: BeginPath.GDI32(?), ref: 005296B9
Part of subcall function 00529639: SelectObject.GDI32(?,00000000), ref: 005296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 005A8887
LineTo.GDI32(?,?,?), ref: 005A8894
EndPath.GDI32(?), ref: 005A88A4
StrokePath.GDI32(?), ref: 005A88B2

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 86e18fa264ac55a03956f98fa905e907e81f48d66c16808471dbced522369982
Instruction ID: 90fb1ba7bc6ae5c7aaccbfeb9de6460cc5d76bdcd182896492d68d60d2a58c1b
Opcode Fuzzy Hash: 86e18fa264ac55a03956f98fa905e907e81f48d66c16808471dbced522369982
Instruction Fuzzy Hash: ABF03A36045659BADB125F94AC0DFDE3E59BF27310F448000FA11650E2CB795515EBA9

Function 005298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005298CC
SetTextColor.GDI32(?,?), ref: 005298D6
SetBkMode.GDI32(?,00000001), ref: 005298E9
GetStockObject.GDI32(00000005), ref: 005298F1

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: fdf6603537d52c9d4adb0155221fe6a5cb8cc3c0d570d87573f395080bf49304
Instruction ID: babda23092f530fcf023f160b2149b06ff6ffa12fd385980bdd04a0b603c7173
Opcode Fuzzy Hash: fdf6603537d52c9d4adb0155221fe6a5cb8cc3c0d570d87573f395080bf49304
Instruction Fuzzy Hash: 77E06D31644284ABDB215B74BC09BE83F60FB27336F048219F6FA581E1C7724684EB10

Function 0057162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00571634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005711D9), ref: 0057163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005711D9), ref: 00571648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005711D9), ref: 0057164F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 6d78daf8af01a9f0b2d155c7cc239e2065791bb06a459dc144e30e1677b3d84a
Instruction ID: 9fd6a7abfb0923c10368a160921ec55014196553daf74aa5e51fb240e99b5b65
Opcode Fuzzy Hash: 6d78daf8af01a9f0b2d155c7cc239e2065791bb06a459dc144e30e1677b3d84a
Instruction Fuzzy Hash: 70E08635601211DBD7201FA5AD0DB4B3F7CBF66791F148808F245C9080D6344548E754

Function 0056D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0056D858
GetDC.USER32(00000000), ref: 0056D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0056D882
ReleaseDC.USER32(?), ref: 0056D8A3

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: fe3f31decb965d1eff72b2794d78ec19c2547cf145b65ae4249fd8c78f015923
Instruction ID: ca8919bc23010366900ac9e3378c651b0e0ab707e0499b170370e9ed39fb7596
Opcode Fuzzy Hash: fe3f31decb965d1eff72b2794d78ec19c2547cf145b65ae4249fd8c78f015923
Instruction Fuzzy Hash: 69E01AB4800205DFCB419FA4D80C66DBFB1FB19310F108409E806E7350CB388945AF50

Function 0056D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0056D86C
GetDC.USER32(00000000), ref: 0056D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0056D882
ReleaseDC.USER32(?), ref: 0056D8A3

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 587933b3dbc702fa7ea6e77ed2ba42330fd5dfb5924db8b132cafcaaa00c6018
Instruction ID: 967b2f4171f1099f455d179a3d3f2215e27ba0317e127c4cc6dd779dd11b1383
Opcode Fuzzy Hash: 587933b3dbc702fa7ea6e77ed2ba42330fd5dfb5924db8b132cafcaaa00c6018
Instruction Fuzzy Hash: 78E012B4800204EFCB41AFA4D80C66EBFB1BB19310B108408E80AE7360CB38990AAF50

Function 00584D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00517620: _wcslen.LIBCMT ref: 00517625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00584ED4

Strings

LPT, xrefs: 00584DFB
*, xrefs: 00584E10

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 31dac028967185e3ec218c0345fa40a42418559712cfc114a86243a03fe5c98f
Instruction ID: ec4d1fe4e7100715e07138861d22498cf32366a0cc2e57413c7249f885553b84
Opcode Fuzzy Hash: 31dac028967185e3ec218c0345fa40a42418559712cfc114a86243a03fe5c98f
Instruction Fuzzy Hash: BB914A75A002059FDB14EF58C484AAABFB5BF48304F198099ED0AAB362D731ED85CF91

Function 0053E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0053E30D

Strings

pow, xrefs: 0053E2E5, 0053E302

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a521351e38fd914cd9748babc6443914a3f291837160b753a9f2b414ba0853ca
Instruction ID: 3c105a0531dd9e4f1d239972786d0b5c7827b106ddec0575143a0e72a3a4b853
Opcode Fuzzy Hash: a521351e38fd914cd9748babc6443914a3f291837160b753a9f2b414ba0853ca
Instruction Fuzzy Hash: 5E515971E1C20A96CB157724C9473FA3FE8FB54744F208E98E095832E9EB309C95AA46

Function 00597771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0056569E,00000000,?,005ACC08,?,00000000,00000000), ref: 005978DD

Part of subcall function 00516B57: _wcslen.LIBCMT ref: 00516B6A

CharUpperBuffW.USER32(0056569E,00000000,?,005ACC08,00000000,?,00000000,00000000), ref: 0059783B

Strings

<s], xrefs: 005977C8

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s]
API String ID: 3544283678-3287859866
Opcode ID: 6182392611b613d64539e4d75c28e1b8f7fd0a17099e032b753739e8bd8e7c2a
Instruction ID: f78ab4f2a3c13ab3eb41a6b18f90cb29e4d93f20758be01d84cf36e5052db489
Opcode Fuzzy Hash: 6182392611b613d64539e4d75c28e1b8f7fd0a17099e032b753739e8bd8e7c2a
Instruction Fuzzy Hash: C9616B7292411AAADF04EBA4CC95DFDBB78FF58300F540926E542A3191EF306A85DBA0

Function 0052E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0052E1B1

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ebd096cdad5b00089a014a309f1720a9cd61dbfbeafd85f61edb94e74676f74a
Instruction ID: 66adfff15f52614cec2f1f134505b049b2068563e8ecacdaee075e01aa8943b8
Opcode Fuzzy Hash: ebd096cdad5b00089a014a309f1720a9cd61dbfbeafd85f61edb94e74676f74a
Instruction Fuzzy Hash: A1513339502296DFDF15DF28D086AFA7FA8FF66310F644055E8929B2C0D6349D82CBA0

Function 0052F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0052F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0052F2BB

Strings

@, xrefs: 0052F2AF

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c74dde67e1f6d21e205f5e19fd96fb59d69fa193dacbb454621c85b518957ae6
Instruction ID: c7a2995c9ab9ec5f6a5ad5f1cdfd9c427da7dc9de0f0fd6f0e4bc561255378ce
Opcode Fuzzy Hash: c74dde67e1f6d21e205f5e19fd96fb59d69fa193dacbb454621c85b518957ae6
Instruction Fuzzy Hash: 95514971408B499BE320AF14DC8ABABBBF8FFD9300F81485DF1D941195EB318569CB66

Function 00595745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005957E0
_wcslen.LIBCMT ref: 005957EC

Strings

CALLARGARRAY, xrefs: 005957E6, 005957EB

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 542c1432e0951ba05dcc4fb301acbd54f41edbbbf92c58c95735c4e1b51b50d2
Instruction ID: 1c137534ec4c76d0c473b9da2367f8f55f118cdcbbcc352f0b521fcfa437f5d1
Opcode Fuzzy Hash: 542c1432e0951ba05dcc4fb301acbd54f41edbbbf92c58c95735c4e1b51b50d2
Instruction Fuzzy Hash: 42418071A0010A9FCF15DFA9D8899EEBFF5FF99320F244069E505A7291E7309D91CB90

Function 0058D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0058D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0058D13A

Strings

|, xrefs: 0058D10B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 8dc1b1c69ce2af2d77bf59b796b38f88908ad9efa361b3b3ab525f61b27950a0
Instruction ID: 20de1884158e0cb95b0cdf2d8ee3d4ff1b41bc96ce37ac12595cdfae6ab8a7f9
Opcode Fuzzy Hash: 8dc1b1c69ce2af2d77bf59b796b38f88908ad9efa361b3b3ab525f61b27950a0
Instruction Fuzzy Hash: 91311A71D0020AABDF15EFA4CC89AEFBFB9FF44300F000119F815A6165DB31AA56DB60

Function 005A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005A365C

Strings

static, xrefs: 005A35BC

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 122e22337bc0781ba20589693aa950e43beab676233fb604c540f61636c4bd61
Instruction ID: ec25a2110fa329503b0883681e4de8e28bc733ad666cfcda874b9030258fb835
Opcode Fuzzy Hash: 122e22337bc0781ba20589693aa950e43beab676233fb604c540f61636c4bd61
Instruction Fuzzy Hash: 2231AD71500204AEEB109F68DC84EFF7BA9FF89724F008619F8A597280DA31AD81D760

Function 005A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 005A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005A4634

Strings

', xrefs: 005A458E

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b4c3178dca700e86665d0cc00e29ceb6bbc411a83cd23056dbacc146c5d51745
Instruction ID: cf6a83b4df17a8db4cdfa2242298cf86384d68b0ab00f160ebbea7432901c601
Opcode Fuzzy Hash: b4c3178dca700e86665d0cc00e29ceb6bbc411a83cd23056dbacc146c5d51745
Instruction Fuzzy Hash: 11310774A0120A9FDB14CFA9C990BEE7BB5FF8A300F14446AE905AB351D7B0A941DF90

Function 005A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A3287

Strings

Combobox, xrefs: 005A3249

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 15a5f86fe614abad92210b838aafd138aa582b47e32194301fab63345ff049fc
Instruction ID: 2066e20eb525f80fa94064adbde64d5f5ed8f3dafd71121173266e5b07c47926
Opcode Fuzzy Hash: 15a5f86fe614abad92210b838aafd138aa582b47e32194301fab63345ff049fc
Instruction Fuzzy Hash: CF11D0752002086FEF219E94DC84FBF3F6AFF9A3A8F100125F9189B290D6319D5197A0

Function 005A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0051600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0051604C
Part of subcall function 0051600E: GetStockObject.GDI32(00000011), ref: 00516060
Part of subcall function 0051600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0051606A

GetWindowRect.USER32(00000000,?), ref: 005A377A
GetSysColor.USER32(00000012), ref: 005A3794

Strings

static, xrefs: 005A3757

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 43475b6a7eb57b70b17046f5870abbcdfba026bbd09eba550e85b5845f200ab2
Instruction ID: 134114b73b3ec6008c4fdbef1b1a556f0835499b4b2661c04ee85addd2195076
Opcode Fuzzy Hash: 43475b6a7eb57b70b17046f5870abbcdfba026bbd09eba550e85b5845f200ab2
Instruction Fuzzy Hash: 7B1129B261020AAFDB00DFA8CC45EFE7BF8FB09354F004914F955E2250E735E9559B60

Function 0058CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0058CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0058CDA6

Strings

<local>, xrefs: 0058CD66

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: cf2ae006d965c32106c1efc617839c36901c7fc09f0c90bbf92d7c5d563d3e4c
Instruction ID: fb1ba8f2978b495ded9addbb0a05f2c7d65b8cdca9bcddf79a4e286ef4275730
Opcode Fuzzy Hash: cf2ae006d965c32106c1efc617839c36901c7fc09f0c90bbf92d7c5d563d3e4c
Instruction Fuzzy Hash: A811C671206671BAD7347B668C45EE7BEACFF127A4F00462AB909A3180D7709845D7F0

Function 005A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005A34BA

Strings

edit, xrefs: 005A348F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 32e96a35f1f56fee2827c0d10b76a75478074af331fc01c2f331f47d7758c70d
Instruction ID: 9d9a95a7db6a4abb988c022aa4904b02f30f53cebd6b163eaa9ec8997abdc26b
Opcode Fuzzy Hash: 32e96a35f1f56fee2827c0d10b76a75478074af331fc01c2f331f47d7758c70d
Instruction Fuzzy Hash: 52116D71500208AFEF118E64DC48AAF3F6AFB5A378F504724FA61971D0C771DC959B60

Function 00576C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

CharUpperBuffW.USER32(?,?,?), ref: 00576CB6
_wcslen.LIBCMT ref: 00576CC2

Strings

STOP, xrefs: 00576CBC, 00576CC1

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 48ef831d5bccab33e5c52a4888385ecd87bd05b936b692faa66cfa2d71c84213
Instruction ID: 3d49b2ca4b2bfd66e2ba967bda0ef6c6f227092774e8f1505fe71e82b8efa2d0
Opcode Fuzzy Hash: 48ef831d5bccab33e5c52a4888385ecd87bd05b936b692faa66cfa2d71c84213
Instruction Fuzzy Hash: C30104326109278ACB219FBDEC849FF3FA8FAA1710B504924E85697190EB31DD40D650

Function 00571CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00571D4C

Strings

ListBox, xrefs: 00571D16
ComboBox, xrefs: 00571CEB

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 61515f577900a0b1658e153a8864883cc219f3891f7cfca2c53f4e1eb5d5e1b2
Instruction ID: 56c65606ad72fa43332b8947cc37f72f61f05648d94eab46ad98a48e6579370e
Opcode Fuzzy Hash: 61515f577900a0b1658e153a8864883cc219f3891f7cfca2c53f4e1eb5d5e1b2
Instruction Fuzzy Hash: 06012831600215ABDB24EFA8DC55CFE7F68FF82390F00491AF866573C1EA305908AA60

Function 00571BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00571C46

Strings

ListBox, xrefs: 00571C10
ComboBox, xrefs: 00571BE5

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: efe651c9493d0f528e7c4a7d4f627ef353659f84160671756b816cbee4653579
Instruction ID: 1ed53540a4fb225e058c0ca27bc0fbcb6ae22f75b40d3c3dadd142d70f95ccc8
Opcode Fuzzy Hash: efe651c9493d0f528e7c4a7d4f627ef353659f84160671756b816cbee4653579
Instruction Fuzzy Hash: 1401FC7164010566DB15E7D4D95A9FF7FACBF51340F200016A80A672C1EA209E08A6B5

Function 00571C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00571CC8

Strings

ListBox, xrefs: 00571C94
ComboBox, xrefs: 00571C69

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 5236eee65be101673e819480d9aa51cae9b5e414ae6b3e37adac3c6d15ee0cc8
Instruction ID: 8e6eb290ae1d6c6b4aab50148884e3fb06073902ca1ef74948d86ff6d13b0da8
Opcode Fuzzy Hash: 5236eee65be101673e819480d9aa51cae9b5e414ae6b3e37adac3c6d15ee0cc8
Instruction Fuzzy Hash: CC012B7164051567DB15EBD8DA16AFE7FACBF51380F104016B84677281EA208F08E2B5

Function 0052A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0052A529

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Strings

3yV, xrefs: 0052A545, 0052A54D, 0052A552
,%^, xrefs: 0052A509

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%^$3yV
API String ID: 2551934079-817577063
Opcode ID: 3d492e377663612434aeece31e17e115a4dd26e799b10a603d7cd03b3f516d98
Instruction ID: 7c970d733234b0c6971b9745d9ffd2b6b1bc791d4476596c126bdaaeb97af815
Opcode Fuzzy Hash: 3d492e377663612434aeece31e17e115a4dd26e799b10a603d7cd03b3f516d98
Instruction Fuzzy Hash: 6401F73270066197CE08F768E86FA9E7F68BF86710F401425F9025B1C2DE509D458AD7

Function 00571D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00519CB3: _wcslen.LIBCMT ref: 00519CBD

Part of subcall function 00573CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00573CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00571DD3

Strings

ListBox, xrefs: 00571DA0
ComboBox, xrefs: 00571D75

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c1906120f15ece6188a70272699d37bdf878a5bdd94cb6e4fbb33a2b7b03104e
Instruction ID: 71db3bd30f6f6bb1b2676e8472bfb60ce74419c7ba3cd27692c5cc23827dc00c
Opcode Fuzzy Hash: c1906120f15ece6188a70272699d37bdf878a5bdd94cb6e4fbb33a2b7b03104e
Instruction Fuzzy Hash: DCF04970A0021566E714E7A8DC56BFE7F6CBF42390F040816B866632C1EA205D0896A0

Function 005A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005E3018,005E305C), ref: 005A81BF
CloseHandle.KERNEL32 ref: 005A81D1

Strings

\0^, xrefs: 005A818A

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0^
API String ID: 3712363035-3379709126
Opcode ID: 32db07969f3fce4702b68c3c4357e8697df40c1f1b821e513b0bd5300fc3f239
Instruction ID: 199575348d26d12ddfc890ce9e6295e2c54b067e2b0307b05e0c5fef0570b743
Opcode Fuzzy Hash: 32db07969f3fce4702b68c3c4357e8697df40c1f1b821e513b0bd5300fc3f239
Instruction Fuzzy Hash: AAF089B1640340BEE7246761AC4DFB73E9CEB15750F000461FB48DB1A1D6758E14A3F4

Function 0059747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00597493
_wcslen.LIBCMT ref: 005974B9

Strings

3, 3, 16, 1, xrefs: 00597483

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b97c82e97b9f76108d7faa4ffa72d9c8ab74e129d18355eba94377ff6c9fba8e
Instruction ID: 0dbe8ab5f30028e2020a1f2af57ed84f5bd2056c98449352165aaefa24bcd8b5
Opcode Fuzzy Hash: b97c82e97b9f76108d7faa4ffa72d9c8ab74e129d18355eba94377ff6c9fba8e
Instruction Fuzzy Hash: 5FE02B03225321109B3112799CC5B7F5F8DFFCD760B14182BF989C2267EAA49D9193A0

Function 00570B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00570B23

Strings

Error allocating memory., xrefs: 00570B1C
AutoIt, xrefs: 00570B17

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 47f77a3db29c393022b32a0e9ffa64ebb20c4000b6e52fc7574fff76f6c69393
Instruction ID: 7e4c69ad8a3154ecb3eab911f476bee69323bb0faac76fd07e8a519cd20152dc
Opcode Fuzzy Hash: 47f77a3db29c393022b32a0e9ffa64ebb20c4000b6e52fc7574fff76f6c69393
Instruction Fuzzy Hash: 8AE0D8322443192AD31437547C07F8D7FC8FF06B20F10042BF758555C38EE1689056A9

Function 00530D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0052F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00530D71,?,?,?,0051100A), ref: 0052F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0051100A), ref: 00530D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0051100A), ref: 00530D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00530D7F

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: aea7f27dbaea130a961ef3b5b8875058a0ec245fa07bdaa42d00e76bec545277
Instruction ID: 928c34918856d7bb29dd197693750a8d2d268d4c437d567f50edcac5761334f2
Opcode Fuzzy Hash: aea7f27dbaea130a961ef3b5b8875058a0ec245fa07bdaa42d00e76bec545277
Instruction Fuzzy Hash: A8E06D742007518BD7609FB8E41834A7FE4BF15744F004D2DE4C2C6691DBB0E4889B91

Function 0052E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0052E3D5

Strings

0%^, xrefs: 0052E3B5
8%^, xrefs: 0052E3CA

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%^$8%^
API String ID: 1385522511-2219163478
Opcode ID: 9d555d80d306128dcd2a2438f01b95a601c879dab61278852ec3b23f3fed72d9
Instruction ID: 109e54cbb7a2779ec71da4751c73cd58f25d60cdef7062a304f4a2b57a14564b
Opcode Fuzzy Hash: 9d555d80d306128dcd2a2438f01b95a601c879dab61278852ec3b23f3fed72d9
Instruction Fuzzy Hash: E9E02631400BB4CBC60CD718FAAAA8C3B99BF66321F1019AAE0828F1DDDBB038419654

Function 00583017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0058302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00583044

Strings

aut, xrefs: 00583038

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 038fd748eb899c10e404d46cb98af4203e423808cc145bea8e3fd1be1bbd4c8d
Instruction ID: 6349e2c1f7829ac0352a18ac60e74142055a2daec3e7fff74015cc1ae81553e9
Opcode Fuzzy Hash: 038fd748eb899c10e404d46cb98af4203e423808cc145bea8e3fd1be1bbd4c8d
Instruction Fuzzy Hash: 27D05B7550031467DB3097949D0DFC73F6CDB05750F0001927795D2091DAB09544CAD0

Function 0056D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0056D220

Strings

X64, xrefs: 0056D2A8
%.3d, xrefs: 0056D22B

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: b8409e17d4200147f0b9e367c3f296fab4efbdfc5dee24edf01ed9c74ccb4cf2
Instruction ID: 729f93c779faf7c5fefaa4e5baeb76e7960134e890187afc99c36b062005929c
Opcode Fuzzy Hash: b8409e17d4200147f0b9e367c3f296fab4efbdfc5dee24edf01ed9c74ccb4cf2
Instruction Fuzzy Hash: 08D012B9D08119EACB9096D0DC599B9BF7CBF19301F508C63F80693040E728C5086771

Function 005A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005A236C
PostMessageW.USER32(00000000), ref: 005A2373

Part of subcall function 0057E97B: Sleep.KERNEL32 ref: 0057E9F3

Strings

Shell_TrayWnd, xrefs: 005A2365

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7b2092d33540409cbf0eaf3ec833ed144daefd482c603b64476492f20de3fcf9
Instruction ID: ec4612f7faff35dbf9ca8e59b975b5bf59650b54b771ba011fdf326b28704b8e
Opcode Fuzzy Hash: 7b2092d33540409cbf0eaf3ec833ed144daefd482c603b64476492f20de3fcf9
Instruction Fuzzy Hash: 6DD0C9327813147AE674A774AC0FFC67E14AB6AB10F0049167755AA1D0C9A0A8059A54

Function 005A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005A233F

Part of subcall function 0057E97B: Sleep.KERNEL32 ref: 0057E9F3

Strings

Shell_TrayWnd, xrefs: 005A2325

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0c05fbe7688509eec5cb5da9749bcd971773cbf62077507603128322a26c8ae8
Instruction ID: 8de9d5149be15e572fdd04aa17f7a7b24b8beb12ead648874b83316531c9eaa7
Opcode Fuzzy Hash: 0c05fbe7688509eec5cb5da9749bcd971773cbf62077507603128322a26c8ae8
Instruction Fuzzy Hash: E8D0C936794314BAE674A774AC0FFC67E14AB66B10F0049167759AA1D0C9A0A8059A54

Function 0054BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0054BE93
GetLastError.KERNEL32 ref: 0054BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0054BEFC

Memory Dump Source

Source File: 00000000.00000002.1750134441.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1750102127.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750220017.00000000005D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750292043.00000000005DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1750319822.00000000005E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 7aadc3fd7e1c94f39ff6b3d1abf2761b74e65f37c85b50beb53bc8cc30d48b33
Instruction ID: d452c11331f3303bf01371c9cfd767e24b744700ee79f0f7602882199bd2f8ef
Opcode Fuzzy Hash: 7aadc3fd7e1c94f39ff6b3d1abf2761b74e65f37c85b50beb53bc8cc30d48b33
Instruction Fuzzy Hash: A141C234604206BBEF258F65CC88AEA7FA9BF82314F144169F95D971A2DB31CD05DB50

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1907161244.000002411A2B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/P equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1802713041.0000024119AE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1794523921.0000024111391000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779022278.0000024111393000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1920166488.0000024118688000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938172126.000002411868A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1920166488.0000024118688000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1938172126.000002411868A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1907161244.000002411A2B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1802713041.0000024119AE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1946177615.00000241137F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942236238.00000241137EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3546366136.000001BAF5B0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1946177615.00000241137F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942236238.00000241137EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3546366136.000001BAF5B0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1946177615.00000241137F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1942236238.00000241137EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3546366136.000001BAF5B0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000002.3546546206.000001DF5410C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000002.3546546206.000001DF5410C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.twitter.com (Twitter)
Source: firefox.exe, 00000014.00000002.3546546206.000001DF5410C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1794523921.0000024111391000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779022278.0000024111393000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1779175781.0000024110BC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1779175781.0000024110BE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1934949221.0000024119262000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49832 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c9ccca75-d92c-4a33-b760-9957043a920c.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_c9ccca75-d92c-4a33-b760-9957043a920c.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ATMBLVSEP6SKS3NVW5F8.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OCOW559X6DP43MX7PGEV.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre