Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561555
MD5:	45538b3f1d09a4c8428ded3e62112646
SHA1:	0516a5ffb07eb1480517ba6892369cb7baa55a5a
SHA256:	45918b1d583e22067ed47363882de0cfa20a8ff5486eb258fa114d3a594ad140
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6888 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 45538B3F1D09A4C8428DED3E62112646)

taskkill.exe (PID: 6940 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6176 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2056 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 2992 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1364 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 2312 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7120 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 6348 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4080 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0590ddfb-40e1-4d22-93f3-32ecdcb7185d} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 1a84756f510 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7488 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4148 -parentBuildID 20230927232528 -prefsHandle 4204 -prefMapHandle 4196 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {429ab7b8-4f74-4e64-a7bd-da10c280bcea} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 1a8598a2810 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8084 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5148 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8adebb1d-ed68-4c68-8123-8531c6a1a629} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 1a858849110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6888	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0041EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0041EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0041ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0041EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0040AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00439576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00439576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1685279225.0000000000462000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_13ddd8c0-7
Source: file.exe, 00000000.00000000.1685279225.0000000000462000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_65f793f1-4
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bfbadcd7-e
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_18699c46-f

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002190F1CA737 NtQuerySystemInformation,		16_2_000002190F1CA737
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002190F1C3572 NtQuerySystemInformation,		16_2_000002190F1C3572

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0040D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00401201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0040E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003ABF40	0_2_003ABF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00412046	0_2_00412046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A8060	0_2_003A8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408298	0_2_00408298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003DE4FF	0_2_003DE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003D676B	0_2_003D676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00434873	0_2_00434873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003CCAA0	0_2_003CCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003ACAF0	0_2_003ACAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003BCC39	0_2_003BCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003D6DD9	0_2_003D6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003BB119	0_2_003BB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A91C0	0_2_003A91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C1394	0_2_003C1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C1706	0_2_003C1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C781B	0_2_003C781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003A7920	0_2_003A7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003B997D	0_2_003B997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C19B0	0_2_003C19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C7A4A	0_2_003C7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C1C77	0_2_003C1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C7CA7	0_2_003C7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042BE44	0_2_0042BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003D9EEE	0_2_003D9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C1F32	0_2_003C1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002190F1CA737	16_2_000002190F1CA737
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002190F1C3572	16_2_000002190F1C3572
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002190F1C35B2	16_2_000002190F1C35B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 16_2_000002190F1C3C9C	16_2_000002190F1C3C9C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003BF9F2 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003C0A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/39@71/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004137B5 GetLastError,FormatMessageW,

0_2_004137B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004010BF AdjustTokenPrivileges,CloseHandle,		0_2_004010BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004016C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004151CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0040D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0041648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_003A42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000D.00000003.1929497647.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877812298.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915152756.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878238792.000001A85FCEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000D.00000003.1929497647.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877812298.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915152756.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000D.00000003.1929497647.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877812298.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915152756.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000D.00000003.1929497647.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877812298.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915152756.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000D.00000003.1876818123.000001A8613AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000D.00000003.1929497647.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877812298.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915152756.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000D.00000003.1929497647.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877812298.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915152756.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000D.00000003.1929497647.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877812298.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915152756.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000D.00000003.1929497647.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877812298.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915152756.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000D.00000003.1929497647.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877812298.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915152756.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0590ddfb-40e1-4d22-93f3-32ecdcb7185d} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 1a84756f510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4148 -parentBuildID 20230927232528 -prefsHandle 4204 -prefMapHandle 4196 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {429ab7b8-4f74-4e64-a7bd-da10c280bcea} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 1a8598a2810 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5148 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8adebb1d-ed68-4c68-8123-8531c6a1a629} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 1a858849110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0590ddfb-40e1-4d22-93f3-32ecdcb7185d} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 1a84756f510 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4148 -parentBuildID 20230927232528 -prefsHandle 4204 -prefMapHandle 4196 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {429ab7b8-4f74-4e64-a7bd-da10c280bcea} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 1a8598a2810 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5148 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8adebb1d-ed68-4c68-8123-8531c6a1a629} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 1a858849110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000D.00000003.1843796915.000001A854CAC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000D.00000003.1843796915.000001A854CAC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000D.00000003.1841342243.000001A854CA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.13.dr
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000D.00000003.1841342243.000001A854CA2000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003A42DE

Source: gmpopenh264.dll.tmp.13.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003C0A76 push ecx; ret

0_2_003C0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_003BF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00431C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96159

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000002190F1CA737 rdtsc

16_2_000002190F1CA737

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Users\user\Desktop\file.exe TID: 6908	Thread sleep count: 110 > 30			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6908	Thread sleep count: 176 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0040DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004168EE FindFirstFileW,FindClose,	0_2_004168EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0041698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0040D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0040D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00419642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00419642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0041979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00419B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00419B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00415C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003A42DE

Source: firefox.exe, 0000000F.00000002.3555390388.0000020D1A2AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3561089154.0000020D1A700000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3555390388.0000020D1A2D6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3554344918.000002190E4BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3559876387.000002190ED60000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3554473973.000002359C81A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3559914776.000002359CD00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000000F.00000002.3560305129.0000020D1A620000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000010.00000002.3559876387.000002190ED60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]w
Source: firefox.exe, 0000000F.00000002.3561089154.0000020D1A700000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3559876387.000002190ED60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 16_2_000002190F1CA737 rdtsc

16_2_000002190F1CA737

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041EAA2 BlockInput,

0_2_0041EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_003D2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003A42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003C4CE8 mov eax, dword ptr fs:[00000030h]

0_2_003C4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00400B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00400B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003D2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003C083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C09D5 SetUnhandledExceptionFilter,	0_2_003C09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003C0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00401201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003E2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_003E2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040B226 SendInput,keybd_event,

0_2_0040B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004222DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00400B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00401663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00401663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003C0698 cpuid

0_2_003C0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00418195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00418195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003FD27A GetUserNameW,

0_2_003FD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003DBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_003DBB6F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003A42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6888, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 6888, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00421204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00421806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	24%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	142.250.181.110	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.1.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678942	firefox.exe, 0000000D.00000003.1792995618.000001A858132000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000011.00000002.3556742161.000002359CCC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000D.00000003.1914413690.000001A8613A4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000D.00000003.1889027759.000001A8598D5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.13.dr	false	high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	firefox.exe, 0000000F.00000002.3556266063.0000020D1A4CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3556738581.000002190E8E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3560113196.000002359CE03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000D.00000003.1849790496.000001A85F376000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1862484406.000001A85F376000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1765677194.000001A85F37E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 0000000F.00000002.3556266063.0000020D1A472000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3556738581.000002190E886000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3556742161.000002359CC8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000D.00000003.1768430052.000001A85F54E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1898419025.000001A85AB36000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 0000000D.00000003.1930985865.000001A8588EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913406311.000001A8588EE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000D.00000003.1729181311.000001A854D3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729539732.000001A854D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729334370.000001A854D5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729017105.000001A854D1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1728803207.000001A857000000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000D.00000003.1911612418.000001A858BCC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932893350.000001A857AEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932893350.000001A857A7A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000D.00000003.1929497647.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1877812298.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1915152756.000001A8612B2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000D.00000003.1878715357.000001A85F54D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913406311.000001A8588C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729334370.000001A854D5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729017105.000001A854D1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1728803207.000001A857000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853139771.000001A858AFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931257697.000001A8588CB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 0000000D.00000003.1910047499.000001A85A945000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000D.00000003.1729181311.000001A854D3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729539732.000001A854D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729334370.000001A854D5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729017105.000001A854D1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1728803207.000001A857000000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 0000000D.00000003.1907238917.000001A85F281000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1889027759.000001A859883000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	firefox.exe, 0000000F.00000002.3556266063.0000020D1A4CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3556738581.000002190E8E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3560113196.000002359CE03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000D.00000003.1878238792.000001A85FCB0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 0000000D.00000003.1903628603.000001A862885000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906553427.000001A85F550000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	firefox.exe, 0000000F.00000002.3556266063.0000020D1A4CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3556738581.000002190E8E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3560113196.000002359CE03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000D.00000003.1932173921.000001A857DBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918081544.000001A857DBA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 0000000D.00000003.1903628603.000001A862885000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906553427.000001A85F550000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3556738581.000002190E80A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3556742161.000002359CC03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000D.00000003.1792908132.000001A858ED1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000D.00000003.1921085537.000001A8557F2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000D.00000003.1915627889.000001A85FCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878238792.000001A85FCB0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000011.00000002.3556742161.000002359CCC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000D.00000003.1792995618.000001A858132000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1793083418.000001A858148000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000D.00000003.1895880437.000001A858A4E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000D.00000003.1889027759.000001A8598E8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://amazon.com	firefox.exe, 0000000D.00000003.1893197709.000035887BF03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000D.00000003.1911612418.000001A858BCC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.13.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000D.00000003.1913406311.000001A8588EE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000D.00000003.1929832755.000001A85F91F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1926456640.000001A85AD78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3556738581.000002190E812000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3556742161.000002359CC13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.13.dr	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.com/Z	firefox.exe, 0000000D.00000003.1893197709.000035887BF03000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 0000000D.00000003.1890466288.000001A8590E6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 0000000F.00000002.3556266063.0000020D1A472000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000D.00000003.1921502743.000001A85F93A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000D.00000003.1792995618.000001A858132000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000D.00000003.1838466921.000001A8575CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737400823.000001A8575F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1894926607.000001A858A59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1923582128.000001A86123E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1843139754.000001A8589C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1836838906.000001A858DED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1900853614.000001A854D6A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1873889176.000001A8629A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895880437.000001A858A4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1895880437.000001A858A49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1928237529.000001A859DA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908535318.000001A859754000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1770176113.000001A859D8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1769214273.000001A85AE9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1739786234.000001A8575F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1737920212.000001A8575F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910047499.000001A85A932000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1880402693.000001A85AE1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1765071657.000001A85F3D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1849790496.000001A85F369000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1769214273.000001A85AE67000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000D.00000003.1910047499.000001A85A945000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000D.00000003.1770176113.000001A859DF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1888572630.000001A859DF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910047499.000001A85A945000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.13.dr	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000D.00000003.1932173921.000001A857DBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878238792.000001A85FC33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918081544.000001A857DBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1769214273.000001A85AE67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879585059.000001A85AE67000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000D.00000003.1932173921.000001A857DBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878238792.000001A85FC33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1918081544.000001A857DBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1769214273.000001A85AE67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1879585059.000001A85AE67000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000D.00000003.1921502743.000001A85F93A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000D.00000003.1849790496.000001A85F376000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1862484406.000001A85F376000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1765677194.000001A85F37E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000D.00000003.1924880670.000001A85F966000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1921502743.000001A85F965000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000D.00000003.1731625804.000001A856E33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1733761669.000001A856E1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1734477255.000001A856E33000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000D.00000003.1792995618.000001A858132000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000D.00000003.1917130604.000001A8590A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1890831848.000001A8590A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1908861415.000001A8590A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1911423877.000001A8590A5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000D.00000003.1926962886.000001A85A94D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1910047499.000001A85A945000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000D.00000003.1792995618.000001A858132000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1793083418.000001A858148000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1792831656.000001A858EDA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000D.00000003.1731625804.000001A856E33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1733761669.000001A856E1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1734477255.000001A856E33000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000D.00000003.1915627889.000001A85FCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878238792.000001A85FCB0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	firefox.exe, 0000000F.00000002.3556266063.0000020D1A4CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3556738581.000002190E8E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3560113196.000002359CE03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.13.dr	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000D.00000003.1768430052.000001A85F560000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000D.00000003.1875986290.000001A86241C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000D.00000003.1890466288.000001A8590E6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/search	firefox.exe, 0000000D.00000003.1790702665.000001A858AFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729181311.000001A854D3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729539732.000001A854D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913406311.000001A8588C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729334370.000001A854D5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1729017105.000001A854D1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1728803207.000001A857000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1853139771.000001A858AFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1931257697.000001A8588CB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://relay.firefox.com/api/v1/	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://topsites.services.mozilla.com/cid/	firefox.exe, 0000000F.00000002.3559998498.0000020D1A570000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3556072872.000002190E780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3556071579.000002359CB00000.00000002.10000000.00040000.00000000.sdmp	false	high
https://twitter.com/	firefox.exe, 0000000D.00000003.1889027759.000001A8598E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1906553427.000001A85F550000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1193802	firefox.exe, 0000000D.00000003.1792831656.000001A858EDA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/	firefox.exe, 0000000D.00000003.1890466288.000001A8590E6000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561555
Start date and time:	2024-11-23 18:42:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/39@71/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 40 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.12.64.98, 35.80.238.59, 35.164.125.63, 172.217.17.78, 88.221.134.209, 88.221.134.155, 172.217.17.42
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	sora.arm.elf	Get hash	malicious	Mirai	Browse	32.35.17.38
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	57.28.196.7
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	34.14.230.135
	sora.x86.elf	Get hash	malicious	Mirai	Browse	57.237.12.143
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	sora.arm.elf	Get hash	malicious	Mirai	Browse	32.35.17.38
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	57.28.196.7
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	34.14.230.135
	sora.x86.elf	Get hash	malicious	Mirai	Browse	57.237.12.143

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfd86c6c-6021-4862-88af-cc316151702a.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1815387585793635
Encrypted:	false
SSDEEP:	192:wtjMXOo7cbhbVbTbfbRbObtbyEl7n0rnJA6WnSrDtTUd/SkDrT:wtYbcNhnzFSJUrOBnSrDhUd/B
MD5:	B7E865C9BCBFB244F4BA53DDF94A4F0E
SHA1:	396C7FC34D653EA16D7C60EE6BBE9A21CE1B7136
SHA-256:	A09F873946635B9FFFF336FDE54CCDAD8D250CF7A242D9EA76417CFF1FD21707
SHA-512:	52CD48723A6E3C60D6802C7E6197FCE6E1F14C30B39B6B53A23F87E9E89DF8A1ED726CBE485D46B74562392652B9C373AB1B62F48075A0EACB32BCF0A395DC37
Malicious:	false
Preview:	{"type":"uninstall","id":"dfd86c6c-6021-4862-88af-cc316151702a","creationDate":"2024-11-23T19:04:05.284Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfd86c6c-6021-4862-88af-cc316151702a.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.1815387585793635
Encrypted:	false
SSDEEP:	192:wtjMXOo7cbhbVbTbfbRbObtbyEl7n0rnJA6WnSrDtTUd/SkDrT:wtYbcNhnzFSJUrOBnSrDhUd/B
MD5:	B7E865C9BCBFB244F4BA53DDF94A4F0E
SHA1:	396C7FC34D653EA16D7C60EE6BBE9A21CE1B7136
SHA-256:	A09F873946635B9FFFF336FDE54CCDAD8D250CF7A242D9EA76417CFF1FD21707
SHA-512:	52CD48723A6E3C60D6802C7E6197FCE6E1F14C30B39B6B53A23F87E9E89DF8A1ED726CBE485D46B74562392652B9C373AB1B62F48075A0EACB32BCF0A395DC37
Malicious:	false
Preview:	{"type":"uninstall","id":"dfd86c6c-6021-4862-88af-cc316151702a","creationDate":"2024-11-23T19:04:05.284Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"65e71c9e-6ac3-4903-9066-b134350de32c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	MS Windows icon resource - 1 icon, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 24 bits/pixel
Category:	modified
Size (bytes):	490
Entropy (8bit):	7.246483341090937
Encrypted:	false
SSDEEP:	12:l8v/7J2T+gwjz+vdzLSMO9mj253UT3BcHXhJo:82CgwS//O91iT3BUXh6
MD5:	BD9751DFFFEFFA2154CC5913489ED58C
SHA1:	1C9230053C45CA44883103A6ACFDF49AC53ABF45
SHA-256:	834C4F18E96CFDAA395246183DE76032F1B77886764CEEBE52F6A146FA4D4C3B
SHA-512:	01072F60F4B2489BB84639A6179A82A3EA90A31C1AD61D30EF27800C3114DB5E45662583E1C0B5382F51635DC14372EFC71DCD069999D6B21A5D256C70697790
Malicious:	false
Preview:	.......................PNG........IHDR................a....IDAT8O...1P......p....d1.....v)......p.nXM.t.H.(.......B$..}_G.{.......:uN...=......s\|.$...`0.....dl6.>>>p.\.v;z.......F.a:.2..D.V.....V..n...g.z.X..C...v.......=.H..d..P...i.."...X,.B...h...xyy.V....I$..J%r....6....Z-:...P..J..........\|>'...P.\&.....l6....N5...Z.x<.....h.z..'@...L&.F..'.Jq<...m6.OOO.....$..r:.......v..V..ze.\.p.R..t.Z.....r...B...3.B..0...TE".p8.D0..`2.D.j...h..n...wF...........#......O....IEND.B`.

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2MYL4839XKGVXI1RNYNT.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3027954042084917
Encrypted:	false
SSDEEP:	24:iLdfa2AWTIUx2dWoM153MbLN8zmLLdfa2AWswM+bpoqdWoM153MbLFX1Rgm5LdfU:GdavUgdw3zQdaZ6Bdwx6daZadwT1
MD5:	B06D0E2D6C76A78D73B85E267FE841C8
SHA1:	58FE09F8C74C35E0CE111EFDBA27C0253F52A149
SHA-256:	35A1EF1B97CC4E626F33F5995E3B383BFC0D28EAAF30F1290192774583BC8C6F
SHA-512:	11B3E9C830403733E1B09722FD8019C94EEA1D71EB8D3C00B689BE7C64BFE171E050811DB4FFE40EEB3B9E093B59D6CF7474AC3FA66220681F20022ABDF720C7
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......(..C.=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IwYv.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwYv.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwYv...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............].......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3027954042084917
Encrypted:	false
SSDEEP:	24:iLdfa2AWTIUx2dWoM153MbLN8zmLLdfa2AWswM+bpoqdWoM153MbLFX1Rgm5LdfU:GdavUgdw3zQdaZ6Bdwx6daZadwT1
MD5:	B06D0E2D6C76A78D73B85E267FE841C8
SHA1:	58FE09F8C74C35E0CE111EFDBA27C0253F52A149
SHA-256:	35A1EF1B97CC4E626F33F5995E3B383BFC0D28EAAF30F1290192774583BC8C6F
SHA-512:	11B3E9C830403733E1B09722FD8019C94EEA1D71EB8D3C00B689BE7C64BFE171E050811DB4FFE40EEB3B9E093B59D6CF7474AC3FA66220681F20022ABDF720C7
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......(..C.=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IwYv.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwYv.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwYv...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............].......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3027954042084917
Encrypted:	false
SSDEEP:	24:iLdfa2AWTIUx2dWoM153MbLN8zmLLdfa2AWswM+bpoqdWoM153MbLFX1Rgm5LdfU:GdavUgdw3zQdaZ6Bdwx6daZadwT1
MD5:	B06D0E2D6C76A78D73B85E267FE841C8
SHA1:	58FE09F8C74C35E0CE111EFDBA27C0253F52A149
SHA-256:	35A1EF1B97CC4E626F33F5995E3B383BFC0D28EAAF30F1290192774583BC8C6F
SHA-512:	11B3E9C830403733E1B09722FD8019C94EEA1D71EB8D3C00B689BE7C64BFE171E050811DB4FFE40EEB3B9E093B59D6CF7474AC3FA66220681F20022ABDF720C7
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......(..C.=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IwYv.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwYv.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwYv...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............].......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZWPUUJFJFQIHM1G01R0T.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.3027954042084917
Encrypted:	false
SSDEEP:	24:iLdfa2AWTIUx2dWoM153MbLN8zmLLdfa2AWswM+bpoqdWoM153MbLFX1Rgm5LdfU:GdavUgdw3zQdaZ6Bdwx6daZadwT1
MD5:	B06D0E2D6C76A78D73B85E267FE841C8
SHA1:	58FE09F8C74C35E0CE111EFDBA27C0253F52A149
SHA-256:	35A1EF1B97CC4E626F33F5995E3B383BFC0D28EAAF30F1290192774583BC8C6F
SHA-512:	11B3E9C830403733E1B09722FD8019C94EEA1D71EB8D3C00B689BE7C64BFE171E050811DB4FFE40EEB3B9E093B59D6CF7474AC3FA66220681F20022ABDF720C7
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......(..C.=..........S...........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IwYv.....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WwYv.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WwYv...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............].......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929081138753073
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLynL8P:8S+OBIUjOdwiOdYVjjwLyL8P
MD5:	4B65DD2DB1BE14E00C3AE25D754661E4
SHA1:	5AD6CFE5D937B065541198C272BEE88C7849A79C
SHA-256:	0385E08BF26197E53135B2FB0D5B89FC58D9D8F30793B822D7238D563F98500C
SHA-512:	EAAB9A760FCB7B6FEEB7ECD62A6458547351CF1D9A0B7886904DEA313DE5F4EB63ADD4294CD256F02778B83C23FA9CC632B978F0051DD0451434D47597DBDAE3
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.929081138753073
Encrypted:	false
SSDEEP:	96:8S+OfJQPUFpOdwNIOdYVjvYcXaNLynL8P:8S+OBIUjOdwiOdYVjjwLyL8P
MD5:	4B65DD2DB1BE14E00C3AE25D754661E4
SHA1:	5AD6CFE5D937B065541198C272BEE88C7849A79C
SHA-256:	0385E08BF26197E53135B2FB0D5B89FC58D9D8F30793B822D7238D563F98500C
SHA-512:	EAAB9A760FCB7B6FEEB7ECD62A6458547351CF1D9A0B7886904DEA313DE5F4EB63ADD4294CD256F02778B83C23FA9CC632B978F0051DD0451434D47597DBDAE3
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"c5d95379-f4ee-4629-a507-6f15a0e93cd4","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-03T11:50:29.548Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5312
Entropy (8bit):	6.615424734763731
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrw2D:VTx2x2t0FDJ4NpwZMd0EJws
MD5:	1B9C8056D3619CE5A8C59B0C09873F17
SHA1:	1015C630E1937AA63F6AB31743782ECB5D78CCD8
SHA-256:	A6AE5DE0733FED050AB570AD9374FF4593D554F695B5AE4E2495871D171D34A3
SHA-512:	B1DC9CC675D5476C270A2D5B214D3DF2B3856576ED7EFE92D9A606C2D9D34E781018902AE75CE9C1E25007BB7F8D8F7B52997E6F05B845EF44BAF22F614FE899
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185924656884556
Encrypted:	false
SSDEEP:	768:wI43DvfWXf4E6C4p4EC4Y4QfEWvM4B4QS4z4444XQ4U:wUfdvk
MD5:	5656BA69BD2966108A461AAE35F60226
SHA1:	9C2E5AE52D82CEA43C4A5FFF205A7700CF54D61C
SHA-256:	587596712960B26EAC18CB354CCD633FFDB218E374A9D59EFEA843914D7AB299
SHA-512:	38F715AD9156558B5D57CA2E75FB0FFE0C5C6728BD94484B8F15E090120DDD02DCE42DBC9CC7143AD6552460A5F3A40E577FAF1D76D5D40B25CDBE636F250054
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{60024e8e-cfd0-41e5-965d-7128c7dcf0e8}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07324810962864572
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkild:DLhesh7Owd4+jiv
MD5:	E9AB87E40C25A25A9D12FBBE763C4171
SHA1:	32E256EB4E4B2C8602F180A439F175DBB45D8430
SHA-256:	B1757E3ED6C488033C92EDED1073F98E78FB2AB20E41E90D7EBA186CED502961
SHA-512:	9124D25DAC462E316FA52BD128DDF443462CF79F08D81103328B17866B6CCA32C03921E24378FC87DBF1AA39A22C097D583939B701AD9505D5AF89A6402AA207
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03935524936221759
Encrypted:	false
SSDEEP:	3:GHlhVlNIiep3WXmlYHlhVlNIiep3WXm/4l8a9//Ylll4llqlyllel4lt:G7VnI9cmG7VnI9cmAL9XIwlio
MD5:	CA18AD84790115842333D3F52B952CA8
SHA1:	F3C69B28FC145C2E91CEA613C945A3708C18C844
SHA-256:	E6C75384B8E902351F1E398DBDD0C1A1F3BA846A88FA52D3214DC0B821F3A66D
SHA-512:	0EA22197C348F9C0CEE2BE6D7A682EECD08259127245B912C092FD3CE8817403770AD8F207412B902C49C8355FA0BE8D7AE23AC9C389F1D3847BCF8E036C74CA
Malicious:	false
Preview:	..-........................U...>....0.u..~...m....-........................U...>....0.u..~...m..........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11778750511555393
Encrypted:	false
SSDEEP:	24:KAyg7vfkfWLxsZ+qijxsMltTAUCF2QWUCZ7CCQE/TKCbCMxsaxipqwlNKVZ2i7+:7yg7vMfaQ14JtUnWdU+RVxihngZk
MD5:	CDC2DAB2882B57F2A22B7799EDBC94E7
SHA1:	FA37FE1808E18DDE65B0842563CEECBA503F9D4C
SHA-256:	908E2409D90DB996BD5BD0701EA94B71AF1C8CB49E6C467897E995D668B17965
SHA-512:	FF92163C6BE895F86ACB5795CD38E80DB610B5CBC7596E00B47FCDC48711B100A2057F00711F7F0F0EDFFD7A0400710195CAF924F21A94E3DA6D43D50C15CE09
Malicious:	false
Preview:	7....-..............0.u....`O..............0.u../.4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494882511871218
Encrypted:	false
SSDEEP:	192:3naRtLYbBp6Lhj4qyaaXC6K5VNqNs5RfGNBw8dPSl:ieRquGfVcwE0
MD5:	967EA43B3E1702E27CAC4DCB28496B31
SHA1:	8765587B3FB8412C92C7D7317127B7D8F371B916
SHA-256:	3DACE35F6247417DC179BF210D9AD4D717BB0F3B02CED72DF1AC3952B76F62F0
SHA-512:	DC77EDB3DF381BF96EC47FAD62FDC2E900DF213E09E0062D004CBF4B728EEB27C24EA5B55255F75140B4F0AAA4F35124E6B13C595F1393BE15037B652062DEBD
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732388616);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732388616);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732388616);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173238

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	13254
Entropy (8bit):	5.494882511871218
Encrypted:	false
SSDEEP:	192:3naRtLYbBp6Lhj4qyaaXC6K5VNqNs5RfGNBw8dPSl:ieRquGfVcwE0
MD5:	967EA43B3E1702E27CAC4DCB28496B31
SHA1:	8765587B3FB8412C92C7D7317127B7D8F371B916
SHA-256:	3DACE35F6247417DC179BF210D9AD4D717BB0F3B02CED72DF1AC3952B76F62F0
SHA-512:	DC77EDB3DF381BF96EC47FAD62FDC2E900DF213E09E0062D004CBF4B728EEB27C24EA5B55255F75140B4F0AAA4F35124E6B13C595F1393BE15037B652062DEBD
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732388616);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732388616);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732388616);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173238

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.331686300269971
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSQ63N7LXnIgk/pnxQwRlszT5sKtN3eHVQj6TYamhujJlOsIomNbnyM:GUpOxotUnR6/3eHTY4JlIbyNR4
MD5:	11DD5E2934E35C3145417CF82ED2F683
SHA1:	4EB30D11F4B920C920FDEA5003DE68F4C43EEB51
SHA-256:	0D83668EDFCF5D390015714796E0B8AA818BB6591E0E9FE18481F98696BD59A4
SHA-512:	955B09E6B101860CE0C326DDE4FD0C0CC65D77A48079CD5DA79BADB578B302973BBE2767C5BFB14601C08514D13656934009099F64F6303C1529ACBCD0CD2B99
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{03368c6c-49c4-4d93-a701-7affc7324fab}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732388621167,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..Q58526...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....590955,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.331686300269971
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSQ63N7LXnIgk/pnxQwRlszT5sKtN3eHVQj6TYamhujJlOsIomNbnyM:GUpOxotUnR6/3eHTY4JlIbyNR4
MD5:	11DD5E2934E35C3145417CF82ED2F683
SHA1:	4EB30D11F4B920C920FDEA5003DE68F4C43EEB51
SHA-256:	0D83668EDFCF5D390015714796E0B8AA818BB6591E0E9FE18481F98696BD59A4
SHA-512:	955B09E6B101860CE0C326DDE4FD0C0CC65D77A48079CD5DA79BADB578B302973BBE2767C5BFB14601C08514D13656934009099F64F6303C1529ACBCD0CD2B99
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{03368c6c-49c4-4d93-a701-7affc7324fab}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732388621167,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..Q58526...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....590955,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1570
Entropy (8bit):	6.331686300269971
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSQ63N7LXnIgk/pnxQwRlszT5sKtN3eHVQj6TYamhujJlOsIomNbnyM:GUpOxotUnR6/3eHTY4JlIbyNR4
MD5:	11DD5E2934E35C3145417CF82ED2F683
SHA1:	4EB30D11F4B920C920FDEA5003DE68F4C43EEB51
SHA-256:	0D83668EDFCF5D390015714796E0B8AA818BB6591E0E9FE18481F98696BD59A4
SHA-512:	955B09E6B101860CE0C326DDE4FD0C0CC65D77A48079CD5DA79BADB578B302973BBE2767C5BFB14601C08514D13656934009099F64F6303C1529ACBCD0CD2B99
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{03368c6c-49c4-4d93-a701-7affc7324fab}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732388621167,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...1a5ccf63-1000-409f-b5c1-afec7f75d4d9","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..Q58526...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d10cb4604fe726755","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....590955,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032954477089191
Encrypted:	false
SSDEEP:	48:YrSAYS/6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycS/yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	BB9185EEB6E229B32775511057E29E41
SHA1:	6C88399662211DDC57F5223DC8BC24FD64393195
SHA-256:	9D63FDC6B65D5144DB6E75AAC979FDDEF6E1ECB4A116951D76B7E39CEA68E52D
SHA-512:	53A0DF733AE800195CC2C3A1226B1B563D86B7D488DD1EE4A7A9051CFA493FEEB3CA1B69292DDA0DD944AB50199AA2A316C2AE3316E52CAF9736104B69EC9321
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T19:03:22.515Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032954477089191
Encrypted:	false
SSDEEP:	48:YrSAYS/6UQZpExB1+anOsW4Vh351VxWRzzc8eYMsku7f86SLAVL7if5FtsfAcbyk:ycS/yTEr5QFRzzcMvbw6KkCrrc2Rn27
MD5:	BB9185EEB6E229B32775511057E29E41
SHA1:	6C88399662211DDC57F5223DC8BC24FD64393195
SHA-256:	9D63FDC6B65D5144DB6E75AAC979FDDEF6E1ECB4A116951D76B7E39CEA68E52D
SHA-512:	53A0DF733AE800195CC2C3A1226B1B563D86B7D488DD1EE4A7A9051CFA493FEEB3CA1B69292DDA0DD944AB50199AA2A316C2AE3316E52CAF9736104B69EC9321
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T19:03:22.515Z","profileAgeCreated":1696333826043,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.591629762580913
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'112 bytes
MD5:	45538b3f1d09a4c8428ded3e62112646
SHA1:	0516a5ffb07eb1480517ba6892369cb7baa55a5a
SHA256:	45918b1d583e22067ed47363882de0cfa20a8ff5486eb258fa114d3a594ad140
SHA512:	d66cfafbd219350593caa028bd259bddc7a7bb5e9b178e821bca10d86f85939f3d13c434816c4db91ba6f5a001d24a63b9fa0bca748add3719209b47ef23c287
SSDEEP:	12288:lqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaiTB:lqDEvCTbMWu7rQYlBQcBiT6rprG8aCB
TLSH:	86159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674211CB [Sat Nov 23 17:32:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F37C0842D43h
jmp 00007F37C084264Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F37C084282Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F37C08427FAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F37C08453EDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F37C0845438h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F37C0845421h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa7a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa7a4	0xa800	79318fa8273d93805a56bebac6fe1b62	False	0.3689081101190476	data	5.613298928774709	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1a6c	data			1.0016262566528682
RT_GROUP_ICON	0xde224	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde29c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde2b0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde2c4	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde2d8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde3b4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 18:43:47.067914963 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:43:47.068002939 CET	443	49736	35.190.72.216	192.168.2.4
Nov 23, 2024 18:43:47.068351984 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:43:47.072659969 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:43:47.072698116 CET	443	49736	35.190.72.216	192.168.2.4
Nov 23, 2024 18:43:48.399136066 CET	443	49736	35.190.72.216	192.168.2.4
Nov 23, 2024 18:43:48.407335997 CET	443	49736	35.190.72.216	192.168.2.4
Nov 23, 2024 18:43:48.408303976 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:43:48.416250944 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:43:48.416284084 CET	443	49736	35.190.72.216	192.168.2.4
Nov 23, 2024 18:43:48.416364908 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:43:48.416517973 CET	443	49736	35.190.72.216	192.168.2.4
Nov 23, 2024 18:43:48.422646046 CET	49736	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:43:49.193039894 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:49.193126917 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 18:43:49.193156004 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:49.193212032 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 18:43:49.194024086 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:49.194025040 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:49.195419073 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:49.195458889 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 18:43:49.196747065 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:49.196765900 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 18:43:49.303251982 CET	49740	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:49.423057079 CET	80	49740	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:49.425704956 CET	49740	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:49.425836086 CET	49740	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:49.546343088 CET	80	49740	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:49.942358971 CET	49741	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:49.942442894 CET	443	49741	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:49.943371058 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:49.943393946 CET	443	49742	35.244.181.201	192.168.2.4
Nov 23, 2024 18:43:49.943887949 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:49.943906069 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:49.949369907 CET	49741	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:49.949595928 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:49.949595928 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:49.950743914 CET	49741	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:49.950794935 CET	443	49741	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:49.950897932 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:49.950922012 CET	443	49742	35.244.181.201	192.168.2.4
Nov 23, 2024 18:43:49.952450991 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:49.952476025 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:50.181567907 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 18:43:50.181651115 CET	443	49744	34.160.144.191	192.168.2.4
Nov 23, 2024 18:43:50.183631897 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 18:43:50.187673092 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 18:43:50.187711954 CET	443	49744	34.160.144.191	192.168.2.4
Nov 23, 2024 18:43:50.559472084 CET	80	49740	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:50.623162031 CET	49740	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:50.883043051 CET	49746	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:50.907655001 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 18:43:50.907735109 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:50.908318043 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 18:43:50.908584118 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:50.911752939 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:50.911753893 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:50.911766052 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 18:43:50.911921978 CET	443	49739	142.250.181.78	192.168.2.4
Nov 23, 2024 18:43:50.912055016 CET	49739	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:50.980505943 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 18:43:50.981467009 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 18:43:50.989960909 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:50.989960909 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:50.990024090 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 18:43:50.998328924 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:50.998369932 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 18:43:50.998399019 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:50.998505116 CET	443	49738	142.250.181.78	192.168.2.4
Nov 23, 2024 18:43:50.999263048 CET	49738	443	192.168.2.4	142.250.181.78
Nov 23, 2024 18:43:51.008203983 CET	80	49746	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:51.011285067 CET	49746	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:51.011532068 CET	49746	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:51.149754047 CET	80	49746	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:51.249763012 CET	443	49742	35.244.181.201	192.168.2.4
Nov 23, 2024 18:43:51.252553940 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:51.286575079 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:51.289462090 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:51.290690899 CET	443	49741	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:51.290710926 CET	443	49741	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:51.307341099 CET	443	49741	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:51.309616089 CET	49741	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:51.313368082 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:51.313414097 CET	443	49742	35.244.181.201	192.168.2.4
Nov 23, 2024 18:43:51.313740015 CET	443	49742	35.244.181.201	192.168.2.4
Nov 23, 2024 18:43:51.335374117 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:51.335475922 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:51.335906982 CET	443	49742	35.244.181.201	192.168.2.4
Nov 23, 2024 18:43:51.340671062 CET	49741	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:51.340678930 CET	443	49741	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:51.340739965 CET	49741	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:51.340975046 CET	443	49741	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:51.342751026 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:51.342765093 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:51.342824936 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:51.342909098 CET	443	49743	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:51.342956066 CET	49742	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:51.342956066 CET	49741	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:51.343116999 CET	49743	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:51.474760056 CET	443	49744	34.160.144.191	192.168.2.4
Nov 23, 2024 18:43:51.474828005 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 18:43:51.477730989 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 18:43:51.477763891 CET	443	49744	34.160.144.191	192.168.2.4
Nov 23, 2024 18:43:51.478009939 CET	443	49744	34.160.144.191	192.168.2.4
Nov 23, 2024 18:43:51.480165958 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 18:43:51.480231047 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 18:43:51.480305910 CET	443	49744	34.160.144.191	192.168.2.4
Nov 23, 2024 18:43:51.480735064 CET	49744	443	192.168.2.4	34.160.144.191
Nov 23, 2024 18:43:51.818465948 CET	49740	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:51.825469971 CET	49748	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:51.825504065 CET	443	49748	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:51.839879036 CET	49748	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:51.842431068 CET	49748	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:51.842452049 CET	443	49748	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:51.884080887 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:51.938369036 CET	80	49740	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:51.940052986 CET	49740	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:52.003618002 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:52.004793882 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:52.005098104 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:52.124650955 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:52.208276033 CET	80	49746	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:52.208555937 CET	49746	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:52.329253912 CET	80	49746	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:52.329328060 CET	49746	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:52.452368021 CET	49750	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:43:52.452444077 CET	443	49750	34.107.243.93	192.168.2.4
Nov 23, 2024 18:43:52.454497099 CET	49750	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:43:52.455876112 CET	49750	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:43:52.455929995 CET	443	49750	34.107.243.93	192.168.2.4
Nov 23, 2024 18:43:52.518934011 CET	49751	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:43:52.518974066 CET	443	49751	34.120.208.123	192.168.2.4
Nov 23, 2024 18:43:52.520425081 CET	49751	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:43:52.521804094 CET	49751	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:43:52.521833897 CET	443	49751	34.120.208.123	192.168.2.4
Nov 23, 2024 18:43:52.623200893 CET	49752	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:52.623256922 CET	443	49752	35.244.181.201	192.168.2.4
Nov 23, 2024 18:43:52.625402927 CET	49752	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:52.625603914 CET	49752	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:52.625617981 CET	443	49752	35.244.181.201	192.168.2.4
Nov 23, 2024 18:43:52.630773067 CET	49753	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:43:52.630868912 CET	443	49753	34.149.100.209	192.168.2.4
Nov 23, 2024 18:43:52.631431103 CET	49753	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:43:52.632731915 CET	49753	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:43:52.632785082 CET	443	49753	34.149.100.209	192.168.2.4
Nov 23, 2024 18:43:53.063373089 CET	443	49748	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:53.063388109 CET	443	49748	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:53.063453913 CET	49748	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:53.068059921 CET	49748	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:53.068089962 CET	443	49748	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:53.068150043 CET	49748	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:53.068248034 CET	443	49748	34.117.188.166	192.168.2.4
Nov 23, 2024 18:43:53.068305969 CET	49748	443	192.168.2.4	34.117.188.166
Nov 23, 2024 18:43:53.136281013 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:53.181209087 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:53.873116016 CET	443	49750	34.107.243.93	192.168.2.4
Nov 23, 2024 18:43:53.873236895 CET	49750	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:43:53.877285957 CET	49750	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:43:53.877317905 CET	443	49750	34.107.243.93	192.168.2.4
Nov 23, 2024 18:43:53.877362013 CET	49750	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:43:53.877769947 CET	443	49750	34.107.243.93	192.168.2.4
Nov 23, 2024 18:43:53.878514051 CET	49750	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:43:53.944363117 CET	443	49751	34.120.208.123	192.168.2.4
Nov 23, 2024 18:43:53.944459915 CET	49751	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:43:53.948223114 CET	49751	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:43:53.948251009 CET	443	49751	34.120.208.123	192.168.2.4
Nov 23, 2024 18:43:53.948297977 CET	49751	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:43:53.948451996 CET	443	49751	34.120.208.123	192.168.2.4
Nov 23, 2024 18:43:53.950232983 CET	49751	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:43:53.953414917 CET	443	49752	35.244.181.201	192.168.2.4
Nov 23, 2024 18:43:53.953862906 CET	49752	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:53.956749916 CET	49752	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:53.956760883 CET	443	49752	35.244.181.201	192.168.2.4
Nov 23, 2024 18:43:53.956981897 CET	443	49752	35.244.181.201	192.168.2.4
Nov 23, 2024 18:43:53.959100962 CET	49752	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:53.959171057 CET	49752	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:53.959233046 CET	443	49752	35.244.181.201	192.168.2.4
Nov 23, 2024 18:43:53.959285975 CET	49752	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:43:53.986392975 CET	443	49753	34.149.100.209	192.168.2.4
Nov 23, 2024 18:43:53.986468077 CET	49753	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:43:53.990789890 CET	49753	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:43:53.990817070 CET	443	49753	34.149.100.209	192.168.2.4
Nov 23, 2024 18:43:53.990856886 CET	49753	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:43:53.990956068 CET	443	49753	34.149.100.209	192.168.2.4
Nov 23, 2024 18:43:53.991008043 CET	49753	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:43:55.589503050 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:55.635548115 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:55.709585905 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:55.709677935 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:55.709832907 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:55.755584002 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:55.774930000 CET	49756	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:43:55.775000095 CET	443	49756	34.120.208.123	192.168.2.4
Nov 23, 2024 18:43:55.775451899 CET	49756	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:43:55.776773930 CET	49756	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:43:55.776808023 CET	443	49756	34.120.208.123	192.168.2.4
Nov 23, 2024 18:43:55.829412937 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:55.961524010 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:56.018469095 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:56.866542101 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:43:56.926918030 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:43:57.345264912 CET	443	49756	34.120.208.123	192.168.2.4
Nov 23, 2024 18:43:57.345355988 CET	49756	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:43:57.349555969 CET	49756	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:43:57.349608898 CET	443	49756	34.120.208.123	192.168.2.4
Nov 23, 2024 18:43:57.349653006 CET	49756	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:43:57.349818945 CET	443	49756	34.120.208.123	192.168.2.4
Nov 23, 2024 18:43:57.349880934 CET	49756	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:00.962299109 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:01.088185072 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:01.292196989 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:01.335199118 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:01.358333111 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:01.360188007 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:01.360230923 CET	443	49760	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:01.361876011 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:01.502279997 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:01.729387999 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:01.774264097 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:01.829446077 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:01.829462051 CET	443	49760	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:01.830373049 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:01.830411911 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:01.830575943 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:01.830642939 CET	443	49763	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:01.830913067 CET	49764	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:01.830996990 CET	443	49764	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:01.831974030 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:01.831976891 CET	49764	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:01.831984043 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:01.832122087 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:01.832127094 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:01.832242966 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:01.832276106 CET	443	49763	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:01.833463907 CET	49764	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:01.833508968 CET	443	49764	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:02.563982010 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:02.690429926 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:02.895370007 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:02.961931944 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:03.045850992 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:03.046005964 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:03.061222076 CET	443	49764	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:03.061297894 CET	49764	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:03.155760050 CET	443	49760	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:03.155894041 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:03.202210903 CET	443	49763	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:03.206973076 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:03.209367990 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:03.639127970 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:03.639142990 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:03.639482021 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:03.642327070 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:03.642349958 CET	443	49763	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:03.642694950 CET	443	49763	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:03.695164919 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:03.696707964 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:04.879714966 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:04.879825115 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:04.879987955 CET	443	49762	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:04.881186962 CET	49762	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:04.976342916 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:04.976398945 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:04.976416111 CET	443	49760	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:04.976579905 CET	443	49763	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:04.976609945 CET	443	49760	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:04.976737022 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:04.976748943 CET	443	49763	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:04.976809978 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:04.976815939 CET	443	49760	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:04.977324963 CET	49764	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:04.977416992 CET	443	49764	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:04.977453947 CET	49764	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:04.977596998 CET	443	49764	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:04.978154898 CET	49764	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:04.978164911 CET	49763	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:04.978164911 CET	49760	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:05.649337053 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:05.770915985 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:06.039623976 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:06.086416960 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:06.189374924 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:06.309401035 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:06.513788939 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:06.572199106 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:15.863564014 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:15.863605976 CET	443	49767	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:15.867914915 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:15.869685888 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:15.869699955 CET	443	49767	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:15.876007080 CET	49768	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:15.876060009 CET	443	49768	34.149.100.209	192.168.2.4
Nov 23, 2024 18:44:15.876298904 CET	49768	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:15.876420021 CET	49768	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:15.876472950 CET	443	49768	34.149.100.209	192.168.2.4
Nov 23, 2024 18:44:15.883228064 CET	49769	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:44:15.883249044 CET	443	49769	35.190.72.216	192.168.2.4
Nov 23, 2024 18:44:15.887550116 CET	49769	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:44:15.889072895 CET	49769	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:44:15.889098883 CET	443	49769	35.190.72.216	192.168.2.4
Nov 23, 2024 18:44:16.015624046 CET	49770	443	192.168.2.4	151.101.129.91
Nov 23, 2024 18:44:16.015670061 CET	443	49770	151.101.129.91	192.168.2.4
Nov 23, 2024 18:44:16.020348072 CET	49770	443	192.168.2.4	151.101.129.91
Nov 23, 2024 18:44:16.020411015 CET	49770	443	192.168.2.4	151.101.129.91
Nov 23, 2024 18:44:16.020417929 CET	443	49770	151.101.129.91	192.168.2.4
Nov 23, 2024 18:44:16.045922041 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:16.227746964 CET	49771	443	192.168.2.4	35.201.103.21
Nov 23, 2024 18:44:16.227792025 CET	443	49771	35.201.103.21	192.168.2.4
Nov 23, 2024 18:44:16.227984905 CET	49771	443	192.168.2.4	35.201.103.21
Nov 23, 2024 18:44:16.229465961 CET	49771	443	192.168.2.4	35.201.103.21
Nov 23, 2024 18:44:16.229485989 CET	443	49771	35.201.103.21	192.168.2.4
Nov 23, 2024 18:44:16.246171951 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:16.256716013 CET	49772	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:16.256747007 CET	443	49772	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:16.256831884 CET	49772	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:16.256942034 CET	49772	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:16.256953001 CET	443	49772	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:16.516097069 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:16.635704041 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:17.116693020 CET	443	49767	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:17.117016077 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:17.120299101 CET	443	49769	35.190.72.216	192.168.2.4
Nov 23, 2024 18:44:17.120704889 CET	49769	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:44:17.123044968 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:17.123053074 CET	443	49767	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:17.123145103 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:17.123203993 CET	443	49767	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:17.124577045 CET	49767	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:17.125257969 CET	49769	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:44:17.125283003 CET	443	49769	35.190.72.216	192.168.2.4
Nov 23, 2024 18:44:17.125340939 CET	49769	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:44:17.125466108 CET	443	49769	35.190.72.216	192.168.2.4
Nov 23, 2024 18:44:17.125819921 CET	49769	443	192.168.2.4	35.190.72.216
Nov 23, 2024 18:44:17.126540899 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:17.167463064 CET	443	49768	34.149.100.209	192.168.2.4
Nov 23, 2024 18:44:17.167536974 CET	49768	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:17.170331955 CET	49768	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:17.170348883 CET	443	49768	34.149.100.209	192.168.2.4
Nov 23, 2024 18:44:17.170681953 CET	443	49768	34.149.100.209	192.168.2.4
Nov 23, 2024 18:44:17.172431946 CET	49768	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:17.172503948 CET	49768	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:17.172605038 CET	443	49768	34.149.100.209	192.168.2.4
Nov 23, 2024 18:44:17.173873901 CET	49768	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:17.353405952 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:17.407210112 CET	443	49770	151.101.129.91	192.168.2.4
Nov 23, 2024 18:44:17.407298088 CET	49770	443	192.168.2.4	151.101.129.91
Nov 23, 2024 18:44:17.410366058 CET	49770	443	192.168.2.4	151.101.129.91
Nov 23, 2024 18:44:17.410373926 CET	443	49770	151.101.129.91	192.168.2.4
Nov 23, 2024 18:44:17.410849094 CET	443	49770	151.101.129.91	192.168.2.4
Nov 23, 2024 18:44:17.412528992 CET	49770	443	192.168.2.4	151.101.129.91
Nov 23, 2024 18:44:17.412626028 CET	49770	443	192.168.2.4	151.101.129.91
Nov 23, 2024 18:44:17.412718058 CET	443	49770	151.101.129.91	192.168.2.4
Nov 23, 2024 18:44:17.418688059 CET	49770	443	192.168.2.4	151.101.129.91
Nov 23, 2024 18:44:17.420532942 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.420568943 CET	443	49773	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:17.420993090 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.421101093 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.421113968 CET	443	49773	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:17.422483921 CET	49774	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.422506094 CET	443	49774	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:17.422796965 CET	49774	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.422872066 CET	49774	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.422884941 CET	443	49774	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:17.424649954 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.424660921 CET	443	49775	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:17.424798012 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.424875021 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.424885035 CET	443	49775	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:17.472753048 CET	443	49772	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:17.472888947 CET	49772	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.475675106 CET	49772	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.475682020 CET	443	49772	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:17.475895882 CET	443	49772	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:17.478197098 CET	49772	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.478324890 CET	443	49772	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:17.478374958 CET	49772	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.478380919 CET	443	49772	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:17.494601011 CET	443	49771	35.201.103.21	192.168.2.4
Nov 23, 2024 18:44:17.499351025 CET	443	49771	35.201.103.21	192.168.2.4
Nov 23, 2024 18:44:17.499593973 CET	49771	443	192.168.2.4	35.201.103.21
Nov 23, 2024 18:44:17.504640102 CET	49771	443	192.168.2.4	35.201.103.21
Nov 23, 2024 18:44:17.504647017 CET	443	49771	35.201.103.21	192.168.2.4
Nov 23, 2024 18:44:17.504726887 CET	49771	443	192.168.2.4	35.201.103.21
Nov 23, 2024 18:44:17.504878998 CET	443	49771	35.201.103.21	192.168.2.4
Nov 23, 2024 18:44:17.505192041 CET	49771	443	192.168.2.4	35.201.103.21
Nov 23, 2024 18:44:17.515083075 CET	49776	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:17.515119076 CET	443	49776	34.149.100.209	192.168.2.4
Nov 23, 2024 18:44:17.515228033 CET	49776	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:17.515328884 CET	49776	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:17.515342951 CET	443	49776	34.149.100.209	192.168.2.4
Nov 23, 2024 18:44:17.616759062 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:17.618927956 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:17.666102886 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:17.687323093 CET	443	49772	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:17.687375069 CET	49772	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:17.741997957 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:17.954576969 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:18.004796028 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:18.945766926 CET	443	49773	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:18.945830107 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.948611975 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.948622942 CET	443	49773	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:18.948853970 CET	443	49773	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:18.951186895 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.951283932 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.951335907 CET	443	49773	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:18.951406956 CET	49773	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.955274105 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:18.969227076 CET	443	49774	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:18.969293118 CET	49774	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.971863985 CET	49774	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.971868992 CET	443	49774	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:18.972871065 CET	443	49774	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:18.974323988 CET	49774	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.974391937 CET	49774	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.974719048 CET	443	49774	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:18.975017071 CET	49774	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.981257915 CET	443	49776	34.149.100.209	192.168.2.4
Nov 23, 2024 18:44:18.981340885 CET	49776	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:18.983999014 CET	49776	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:18.984019995 CET	443	49776	34.149.100.209	192.168.2.4
Nov 23, 2024 18:44:18.985037088 CET	443	49776	34.149.100.209	192.168.2.4
Nov 23, 2024 18:44:18.985692024 CET	443	49775	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:18.985759020 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.988079071 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.988086939 CET	443	49775	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:18.988308907 CET	443	49775	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:18.988683939 CET	49776	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:18.988738060 CET	49776	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:18.988893986 CET	443	49776	34.149.100.209	192.168.2.4
Nov 23, 2024 18:44:18.989414930 CET	49776	443	192.168.2.4	34.149.100.209
Nov 23, 2024 18:44:18.990919113 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.991002083 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:18.991329908 CET	443	49775	35.244.181.201	192.168.2.4
Nov 23, 2024 18:44:18.991480112 CET	49775	443	192.168.2.4	35.244.181.201
Nov 23, 2024 18:44:19.075649977 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:19.280347109 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:19.283245087 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:19.324157953 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:19.403465986 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:19.607842922 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:19.656275034 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:29.287476063 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:29.408150911 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:29.619663000 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:29.744991064 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:35.714617968 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:35.834678888 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:36.044306040 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:36.047332048 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:36.085175037 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:36.173726082 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:36.378464937 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:36.423841000 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:37.527049065 CET	49780	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:37.527086973 CET	443	49780	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:37.527605057 CET	49780	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:37.529690027 CET	49780	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:37.529717922 CET	443	49780	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:38.839725971 CET	443	49780	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:38.839854956 CET	49780	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:38.845397949 CET	49780	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:38.845417023 CET	443	49780	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:38.845500946 CET	49780	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:38.845622063 CET	443	49780	34.107.243.93	192.168.2.4
Nov 23, 2024 18:44:38.846379995 CET	49780	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:44:38.848634005 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:38.997267008 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:39.175262928 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:39.179395914 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:39.216600895 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:39.305291891 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:39.510102034 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:39.564369917 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:45.471653938 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:45.471694946 CET	443	49797	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:45.471791029 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:45.471827030 CET	443	49798	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:45.472006083 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:45.472007036 CET	49799	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:45.472037077 CET	443	49799	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:45.472068071 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:45.472142935 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:45.472151041 CET	443	49797	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:45.472230911 CET	49799	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:45.472367048 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:45.472379923 CET	443	49798	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:45.472501040 CET	49799	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:45.472511053 CET	443	49799	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.694920063 CET	443	49799	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.699335098 CET	443	49799	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.702908039 CET	49799	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.705681086 CET	49799	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.705693960 CET	443	49799	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.706047058 CET	443	49799	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.711337090 CET	49799	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.711451054 CET	49799	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.711711884 CET	443	49799	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.713726044 CET	49799	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.714648008 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:46.739726067 CET	443	49797	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.739830017 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.742530107 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.742535114 CET	443	49797	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.743587971 CET	443	49797	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.744822979 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.744896889 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.745223999 CET	443	49797	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.745305061 CET	49797	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.780962944 CET	443	49798	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.781045914 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.783874989 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.783902884 CET	443	49798	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.784249067 CET	443	49798	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.786288977 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.786402941 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.786495924 CET	443	49798	34.120.208.123	192.168.2.4
Nov 23, 2024 18:44:46.789274931 CET	49798	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:44:46.876111031 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:47.080862999 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:47.083509922 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:47.121869087 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:47.209367037 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:47.414197922 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:47.460526943 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:57.087817907 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:57.213166952 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:44:57.419893026 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:44:57.539977074 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:07.217041969 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:07.337290049 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:07.549197912 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:07.675235987 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:17.345777035 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:17.473119974 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:17.677949905 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:17.798224926 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:18.853178978 CET	49870	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:45:18.853219986 CET	443	49870	34.107.243.93	192.168.2.4
Nov 23, 2024 18:45:18.853375912 CET	49870	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:45:18.855452061 CET	49870	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:45:18.855480909 CET	443	49870	34.107.243.93	192.168.2.4
Nov 23, 2024 18:45:20.190247059 CET	443	49870	34.107.243.93	192.168.2.4
Nov 23, 2024 18:45:20.190339088 CET	49870	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:45:20.197873116 CET	49870	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:45:20.197896957 CET	443	49870	34.107.243.93	192.168.2.4
Nov 23, 2024 18:45:20.197957039 CET	49870	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:45:20.198390007 CET	443	49870	34.107.243.93	192.168.2.4
Nov 23, 2024 18:45:20.200118065 CET	49870	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:45:20.201828003 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:20.338777065 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:20.544298887 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:20.548021078 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:20.589652061 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:20.674246073 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:20.878638029 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:20.921704054 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:30.558628082 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:30.685477018 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:30.890805960 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:31.014806986 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:40.697324991 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:40.817322969 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:41.029428959 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:41.156574965 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:50.827152014 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:50.947005033 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:45:51.159326077 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:45:51.285990000 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:00.955281019 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:01.075165987 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:01.287446022 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:01.434053898 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:11.084059000 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:11.203870058 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:11.447504044 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:11.574002028 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:21.212605953 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:21.332077980 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:21.575954914 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:21.702416897 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:31.341469049 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:31.467902899 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:31.704849958 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:31.824453115 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:40.498016119 CET	50044	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:46:40.498032093 CET	443	50044	34.107.243.93	192.168.2.4
Nov 23, 2024 18:46:40.498096943 CET	50044	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:46:40.499448061 CET	50044	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:46:40.499463081 CET	443	50044	34.107.243.93	192.168.2.4
Nov 23, 2024 18:46:41.469831944 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:41.596328974 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:41.767807961 CET	443	50044	34.107.243.93	192.168.2.4
Nov 23, 2024 18:46:41.768124104 CET	50044	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:46:41.774107933 CET	50044	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:46:41.774118900 CET	443	50044	34.107.243.93	192.168.2.4
Nov 23, 2024 18:46:41.774219036 CET	50044	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:46:41.774472952 CET	443	50044	34.107.243.93	192.168.2.4
Nov 23, 2024 18:46:41.775043011 CET	50044	443	192.168.2.4	34.107.243.93
Nov 23, 2024 18:46:41.776842117 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:41.833231926 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:41.926749945 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:41.977699995 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:42.131035089 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:42.134248018 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:42.171988964 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:42.260867119 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:42.466005087 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:42.519835949 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:47.134171009 CET	50051	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:47.134232998 CET	443	50051	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:47.134360075 CET	50052	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:47.134380102 CET	443	50052	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:47.134485006 CET	50053	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:47.134573936 CET	443	50053	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:47.134591103 CET	50054	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:47.134597063 CET	443	50054	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:47.134673119 CET	50051	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:47.134696960 CET	50054	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:47.134696960 CET	50052	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:47.134711027 CET	50053	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:47.134800911 CET	50051	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:47.134824038 CET	443	50051	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:47.134960890 CET	50054	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:47.134974957 CET	443	50054	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:47.135071993 CET	50053	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:47.135112047 CET	443	50053	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:47.135130882 CET	50052	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:47.135142088 CET	443	50052	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.344906092 CET	443	50052	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.344983101 CET	50052	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.347567081 CET	50052	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.347577095 CET	443	50052	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.347826004 CET	443	50052	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.349318027 CET	50052	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.349426031 CET	50052	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.349447012 CET	443	50052	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.349545002 CET	50052	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.351516008 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:48.354021072 CET	443	50051	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.356617928 CET	50051	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.359076023 CET	50051	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.359091997 CET	443	50051	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.359433889 CET	443	50051	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.360874891 CET	50051	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.360945940 CET	50051	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.361052036 CET	443	50051	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.361161947 CET	50051	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.394018888 CET	443	50054	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.394109011 CET	50054	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.395057917 CET	443	50053	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.396419048 CET	50054	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.396425009 CET	443	50054	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.396626949 CET	50053	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.396763086 CET	443	50054	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.398547888 CET	50053	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.398577929 CET	443	50053	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.398909092 CET	443	50053	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.400335073 CET	50054	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.400418997 CET	50054	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.400526047 CET	443	50054	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.400825977 CET	50054	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.401083946 CET	50053	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.401159048 CET	50053	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.401261091 CET	443	50053	34.120.208.123	192.168.2.4
Nov 23, 2024 18:46:48.401854992 CET	50053	443	192.168.2.4	34.120.208.123
Nov 23, 2024 18:46:48.478627920 CET	80	49749	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:48.478691101 CET	49749	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:48.505001068 CET	50055	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:48.630420923 CET	80	50055	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:48.630495071 CET	50055	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:48.630606890 CET	50055	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:48.750080109 CET	80	50055	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:49.761940002 CET	80	50055	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:49.764384985 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:49.765106916 CET	50056	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:49.816231966 CET	50055	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:49.884322882 CET	80	49755	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:49.884403944 CET	49755	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:49.884588957 CET	80	50056	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:49.884663105 CET	50056	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:49.884763002 CET	50056	80	192.168.2.4	34.107.221.82
Nov 23, 2024 18:46:50.007714987 CET	80	50056	34.107.221.82	192.168.2.4
Nov 23, 2024 18:46:51.027906895 CET	80	50056	34.107.221.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 18:43:47.069041014 CET	55447	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:47.318460941 CET	53	55447	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:47.319118977 CET	55311	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:47.462796926 CET	53	55311	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:49.041541100 CET	65011	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:49.041857958 CET	63323	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:49.187990904 CET	53	65011	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:49.193408966 CET	53960	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:49.303491116 CET	50372	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:49.336671114 CET	53	53960	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:49.337131977 CET	65049	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:49.445266962 CET	53	50372	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:49.445817947 CET	62405	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:49.477287054 CET	53	65049	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:49.486598969 CET	58592	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:49.501058102 CET	62714	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:49.587353945 CET	53	62405	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:49.630745888 CET	53	58592	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:49.645381927 CET	53	62714	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:49.943001986 CET	53885	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:49.944588900 CET	52667	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:49.944871902 CET	53452	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:50.030844927 CET	51121	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:50.091610909 CET	53	52667	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:50.091728926 CET	53	53452	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:50.092233896 CET	55786	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:50.092396975 CET	57624	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:50.093847036 CET	53	53885	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:50.094316959 CET	56601	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:50.180628061 CET	53	51121	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:50.237824917 CET	53	55786	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:50.238778114 CET	53884	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:50.243185997 CET	53	57624	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:50.327716112 CET	53	56601	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:50.389415026 CET	53	53884	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:50.390064001 CET	59465	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:50.536500931 CET	53	59465	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:50.649424076 CET	65107	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:50.649823904 CET	63302	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:50.730045080 CET	53567	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:50.732270002 CET	54497	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:50.787514925 CET	53	63302	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:50.790414095 CET	53	65107	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:51.507973909 CET	53	57065	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:51.879868984 CET	50032	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:52.020149946 CET	53	50032	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:52.021447897 CET	56653	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:52.162061930 CET	53	56653	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:52.181421995 CET	57134	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:52.326800108 CET	53	57134	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:52.470719099 CET	62813	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:52.519553900 CET	63972	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:52.617396116 CET	53	62813	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:52.630938053 CET	59507	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:52.662307978 CET	53	63972	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:52.662873983 CET	57587	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:52.774477005 CET	53	59507	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:52.778793097 CET	56005	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:52.810384035 CET	53	57587	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:52.924643993 CET	53	56005	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:55.587661982 CET	62724	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:55.728236914 CET	53	62724	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:55.736709118 CET	63711	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:55.880434990 CET	53	63711	1.1.1.1	192.168.2.4
Nov 23, 2024 18:43:55.883477926 CET	59445	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:43:56.035145998 CET	53	59445	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:00.961859941 CET	51480	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:01.362850904 CET	57018	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:01.530426025 CET	53	57018	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:01.830008030 CET	59229	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:01.976636887 CET	53	59229	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:02.871222019 CET	56896	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:02.871520042 CET	49235	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:02.871747971 CET	60552	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:03.009424925 CET	53	56896	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:03.009480000 CET	53	49235	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:03.013551950 CET	53	60552	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:03.014570951 CET	56577	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:03.014770985 CET	63474	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:03.015289068 CET	49673	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:03.155771017 CET	53	56577	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:03.156346083 CET	53	63474	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:03.156562090 CET	63897	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:03.156856060 CET	57807	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:03.156898022 CET	53	49673	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:03.157278061 CET	59270	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:03.308096886 CET	53	63897	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:03.311748981 CET	53	59270	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:03.313306093 CET	53	57807	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:03.636480093 CET	62292	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:03.636663914 CET	60924	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:03.788459063 CET	53	62292	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:03.792325020 CET	53	60924	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:04.139374971 CET	57710	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:04.139621019 CET	57994	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:04.279120922 CET	53	57710	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:04.279680967 CET	59131	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:04.426451921 CET	53	59131	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:04.438136101 CET	53	57994	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:04.438682079 CET	54026	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:04.660170078 CET	53	54026	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:15.862478971 CET	51704	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:15.864583969 CET	51721	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:15.883789062 CET	60536	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:16.012655973 CET	53	51704	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:16.013782978 CET	53	51721	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:16.016273022 CET	59803	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:16.167774916 CET	53	59803	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:16.168351889 CET	63427	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:16.226969957 CET	53	60536	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:16.227912903 CET	51875	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:16.256834984 CET	52172	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:16.306876898 CET	53	63427	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:16.367691040 CET	53	51875	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:16.368356943 CET	62805	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:16.396274090 CET	53	52172	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:16.600461006 CET	53	62805	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:37.375361919 CET	61444	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:37.525784969 CET	53	61444	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:37.527540922 CET	57433	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:37.672844887 CET	53	57433	1.1.1.1	192.168.2.4
Nov 23, 2024 18:44:45.471915007 CET	60269	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:44:45.622030020 CET	53	60269	1.1.1.1	192.168.2.4
Nov 23, 2024 18:45:18.853708982 CET	62498	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:45:18.992028952 CET	53	62498	1.1.1.1	192.168.2.4
Nov 23, 2024 18:45:20.202059031 CET	65091	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:46:40.216120958 CET	55086	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:46:40.357099056 CET	53	55086	1.1.1.1	192.168.2.4
Nov 23, 2024 18:46:40.358016014 CET	52615	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:46:40.497162104 CET	53	52615	1.1.1.1	192.168.2.4
Nov 23, 2024 18:46:40.497745991 CET	62632	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:46:40.644268990 CET	53	62632	1.1.1.1	192.168.2.4
Nov 23, 2024 18:46:41.777093887 CET	60784	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:46:47.134537935 CET	50686	53	192.168.2.4	1.1.1.1
Nov 23, 2024 18:46:47.274705887 CET	53	50686	1.1.1.1	192.168.2.4
Nov 23, 2024 18:46:48.351866961 CET	51823	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 18:43:47.069041014 CET	192.168.2.4	1.1.1.1	0x5d12	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:47.319118977 CET	192.168.2.4	1.1.1.1	0xff41	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 18:43:49.041541100 CET	192.168.2.4	1.1.1.1	0xcf27	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.041857958 CET	192.168.2.4	1.1.1.1	0xf3ec	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.193408966 CET	192.168.2.4	1.1.1.1	0xed01	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.303491116 CET	192.168.2.4	1.1.1.1	0x5b00	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.337131977 CET	192.168.2.4	1.1.1.1	0x7bbd	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 23, 2024 18:43:49.445817947 CET	192.168.2.4	1.1.1.1	0xb0e4	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 18:43:49.486598969 CET	192.168.2.4	1.1.1.1	0xdb92	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.501058102 CET	192.168.2.4	1.1.1.1	0x34b3	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.943001986 CET	192.168.2.4	1.1.1.1	0xdded	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.944588900 CET	192.168.2.4	1.1.1.1	0x6bb0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.944871902 CET	192.168.2.4	1.1.1.1	0xa9c3	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.030844927 CET	192.168.2.4	1.1.1.1	0x4e13	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.092233896 CET	192.168.2.4	1.1.1.1	0xe5d0	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 18:43:50.092396975 CET	192.168.2.4	1.1.1.1	0x6c61	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 18:43:50.094316959 CET	192.168.2.4	1.1.1.1	0x95c7	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 18:43:50.238778114 CET	192.168.2.4	1.1.1.1	0x4086	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.390064001 CET	192.168.2.4	1.1.1.1	0xd3c4	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 18:43:50.649424076 CET	192.168.2.4	1.1.1.1	0x3371	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.649823904 CET	192.168.2.4	1.1.1.1	0xc270	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.730045080 CET	192.168.2.4	1.1.1.1	0x7a57	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.732270002 CET	192.168.2.4	1.1.1.1	0xe233	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:51.879868984 CET	192.168.2.4	1.1.1.1	0xb0a9	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:52.021447897 CET	192.168.2.4	1.1.1.1	0xbbd2	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:52.181421995 CET	192.168.2.4	1.1.1.1	0x4a81	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 18:43:52.470719099 CET	192.168.2.4	1.1.1.1	0x14a9	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:52.519553900 CET	192.168.2.4	1.1.1.1	0x7c94	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:52.630938053 CET	192.168.2.4	1.1.1.1	0xc0b9	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:52.662873983 CET	192.168.2.4	1.1.1.1	0xda16	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 18:43:52.778793097 CET	192.168.2.4	1.1.1.1	0x9045	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 18:43:55.587661982 CET	192.168.2.4	1.1.1.1	0x9af1	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:55.736709118 CET	192.168.2.4	1.1.1.1	0xaab	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:55.883477926 CET	192.168.2.4	1.1.1.1	0x3c48	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 18:44:00.961859941 CET	192.168.2.4	1.1.1.1	0x19be	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:01.362850904 CET	192.168.2.4	1.1.1.1	0x2ad1	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 18:44:01.830008030 CET	192.168.2.4	1.1.1.1	0xed7a	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 18:44:02.871222019 CET	192.168.2.4	1.1.1.1	0xf2b5	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:02.871520042 CET	192.168.2.4	1.1.1.1	0x214c	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:02.871747971 CET	192.168.2.4	1.1.1.1	0xb569	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.014570951 CET	192.168.2.4	1.1.1.1	0xb778	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.014770985 CET	192.168.2.4	1.1.1.1	0x2a6a	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.015289068 CET	192.168.2.4	1.1.1.1	0x616	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.156562090 CET	192.168.2.4	1.1.1.1	0x2ece	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 23, 2024 18:44:03.156856060 CET	192.168.2.4	1.1.1.1	0xf46f	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 23, 2024 18:44:03.157278061 CET	192.168.2.4	1.1.1.1	0x4b1f	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 23, 2024 18:44:03.636480093 CET	192.168.2.4	1.1.1.1	0xea06	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.636663914 CET	192.168.2.4	1.1.1.1	0x8ee8	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:04.139374971 CET	192.168.2.4	1.1.1.1	0xde64	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:04.139621019 CET	192.168.2.4	1.1.1.1	0xda82	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:04.279680967 CET	192.168.2.4	1.1.1.1	0xbccc	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 23, 2024 18:44:04.438682079 CET	192.168.2.4	1.1.1.1	0x17cf	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 23, 2024 18:44:15.862478971 CET	192.168.2.4	1.1.1.1	0x71c4	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:15.864583969 CET	192.168.2.4	1.1.1.1	0xcd50	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 18:44:15.883789062 CET	192.168.2.4	1.1.1.1	0xf813	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.016273022 CET	192.168.2.4	1.1.1.1	0xc46e	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.168351889 CET	192.168.2.4	1.1.1.1	0xddea	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 23, 2024 18:44:16.227912903 CET	192.168.2.4	1.1.1.1	0x312c	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.256834984 CET	192.168.2.4	1.1.1.1	0xfb8	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 18:44:16.368356943 CET	192.168.2.4	1.1.1.1	0x43a2	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 18:44:37.375361919 CET	192.168.2.4	1.1.1.1	0x8b8f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:37.527540922 CET	192.168.2.4	1.1.1.1	0x3240	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 18:44:45.471915007 CET	192.168.2.4	1.1.1.1	0xf2fe	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 18:45:18.853708982 CET	192.168.2.4	1.1.1.1	0x65f3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 18:45:20.202059031 CET	192.168.2.4	1.1.1.1	0x9323	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:46:40.216120958 CET	192.168.2.4	1.1.1.1	0xd133	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:46:40.358016014 CET	192.168.2.4	1.1.1.1	0x787c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:46:40.497745991 CET	192.168.2.4	1.1.1.1	0xf449	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 18:46:41.777093887 CET	192.168.2.4	1.1.1.1	0xd3d7	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:46:47.134537935 CET	192.168.2.4	1.1.1.1	0x72b0	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 18:46:48.351866961 CET	192.168.2.4	1.1.1.1	0xcf9d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 18:43:47.065797091 CET	1.1.1.1	192.168.2.4	0x1095	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:47.318460941 CET	1.1.1.1	192.168.2.4	0x5d12	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.187990904 CET	1.1.1.1	192.168.2.4	0xcf27	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.302542925 CET	1.1.1.1	192.168.2.4	0xf3ec	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:43:49.302542925 CET	1.1.1.1	192.168.2.4	0xf3ec	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.336671114 CET	1.1.1.1	192.168.2.4	0xed01	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.445266962 CET	1.1.1.1	192.168.2.4	0x5b00	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.477287054 CET	1.1.1.1	192.168.2.4	0x7bbd	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 23, 2024 18:43:49.587353945 CET	1.1.1.1	192.168.2.4	0xb0e4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 18:43:49.630745888 CET	1.1.1.1	192.168.2.4	0xdb92	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.637237072 CET	1.1.1.1	192.168.2.4	0x498f	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:43:49.637237072 CET	1.1.1.1	192.168.2.4	0x498f	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:49.645381927 CET	1.1.1.1	192.168.2.4	0x34b3	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:43:49.645381927 CET	1.1.1.1	192.168.2.4	0x34b3	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.091610909 CET	1.1.1.1	192.168.2.4	0x6bb0	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.091728926 CET	1.1.1.1	192.168.2.4	0xa9c3	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.093847036 CET	1.1.1.1	192.168.2.4	0xdded	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.180628061 CET	1.1.1.1	192.168.2.4	0x4e13	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:43:50.180628061 CET	1.1.1.1	192.168.2.4	0x4e13	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:43:50.180628061 CET	1.1.1.1	192.168.2.4	0x4e13	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.389415026 CET	1.1.1.1	192.168.2.4	0x4086	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.536500931 CET	1.1.1.1	192.168.2.4	0xd3c4	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 18:43:50.787514925 CET	1.1.1.1	192.168.2.4	0xc270	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.787514925 CET	1.1.1.1	192.168.2.4	0xc270	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.790414095 CET	1.1.1.1	192.168.2.4	0x3371	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.876677990 CET	1.1.1.1	192.168.2.4	0xe233	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:43:50.876677990 CET	1.1.1.1	192.168.2.4	0xe233	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:50.950696945 CET	1.1.1.1	192.168.2.4	0x7a57	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:43:52.020149946 CET	1.1.1.1	192.168.2.4	0xb0a9	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:52.162061930 CET	1.1.1.1	192.168.2.4	0xbbd2	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:52.513000965 CET	1.1.1.1	192.168.2.4	0xcff	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:52.599678993 CET	1.1.1.1	192.168.2.4	0xd482	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:43:52.599678993 CET	1.1.1.1	192.168.2.4	0xd482	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:52.617396116 CET	1.1.1.1	192.168.2.4	0x14a9	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:43:52.617396116 CET	1.1.1.1	192.168.2.4	0x14a9	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:52.662307978 CET	1.1.1.1	192.168.2.4	0x7c94	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:52.774477005 CET	1.1.1.1	192.168.2.4	0xc0b9	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:55.728236914 CET	1.1.1.1	192.168.2.4	0x9af1	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:43:55.728236914 CET	1.1.1.1	192.168.2.4	0x9af1	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:43:55.728236914 CET	1.1.1.1	192.168.2.4	0x9af1	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:55.774007082 CET	1.1.1.1	192.168.2.4	0x9080	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:43:55.880434990 CET	1.1.1.1	192.168.2.4	0xaab	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:01.112457991 CET	1.1.1.1	192.168.2.4	0x19be	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:44:01.112457991 CET	1.1.1.1	192.168.2.4	0x19be	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.009424925 CET	1.1.1.1	192.168.2.4	0xf2b5	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:44:03.009424925 CET	1.1.1.1	192.168.2.4	0xf2b5	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.009424925 CET	1.1.1.1	192.168.2.4	0xf2b5	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.009424925 CET	1.1.1.1	192.168.2.4	0xf2b5	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.009424925 CET	1.1.1.1	192.168.2.4	0xf2b5	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.009424925 CET	1.1.1.1	192.168.2.4	0xf2b5	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.009424925 CET	1.1.1.1	192.168.2.4	0xf2b5	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.009424925 CET	1.1.1.1	192.168.2.4	0xf2b5	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.009424925 CET	1.1.1.1	192.168.2.4	0xf2b5	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.009424925 CET	1.1.1.1	192.168.2.4	0xf2b5	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.009424925 CET	1.1.1.1	192.168.2.4	0xf2b5	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.009480000 CET	1.1.1.1	192.168.2.4	0x214c	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:44:03.009480000 CET	1.1.1.1	192.168.2.4	0x214c	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.013551950 CET	1.1.1.1	192.168.2.4	0xb569	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:44:03.013551950 CET	1.1.1.1	192.168.2.4	0xb569	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.155771017 CET	1.1.1.1	192.168.2.4	0xb778	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.155771017 CET	1.1.1.1	192.168.2.4	0xb778	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.155771017 CET	1.1.1.1	192.168.2.4	0xb778	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.155771017 CET	1.1.1.1	192.168.2.4	0xb778	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.155771017 CET	1.1.1.1	192.168.2.4	0xb778	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.155771017 CET	1.1.1.1	192.168.2.4	0xb778	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.155771017 CET	1.1.1.1	192.168.2.4	0xb778	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.155771017 CET	1.1.1.1	192.168.2.4	0xb778	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.155771017 CET	1.1.1.1	192.168.2.4	0xb778	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.155771017 CET	1.1.1.1	192.168.2.4	0xb778	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.156346083 CET	1.1.1.1	192.168.2.4	0x2a6a	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.156898022 CET	1.1.1.1	192.168.2.4	0x616	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.308096886 CET	1.1.1.1	192.168.2.4	0x2ece	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 18:44:03.308096886 CET	1.1.1.1	192.168.2.4	0x2ece	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 18:44:03.308096886 CET	1.1.1.1	192.168.2.4	0x2ece	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 18:44:03.308096886 CET	1.1.1.1	192.168.2.4	0x2ece	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 18:44:03.311748981 CET	1.1.1.1	192.168.2.4	0x4b1f	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 23, 2024 18:44:03.313306093 CET	1.1.1.1	192.168.2.4	0xf46f	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 23, 2024 18:44:03.788459063 CET	1.1.1.1	192.168.2.4	0xea06	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:44:03.788459063 CET	1.1.1.1	192.168.2.4	0xea06	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.788459063 CET	1.1.1.1	192.168.2.4	0xea06	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.788459063 CET	1.1.1.1	192.168.2.4	0xea06	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.788459063 CET	1.1.1.1	192.168.2.4	0xea06	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:03.792325020 CET	1.1.1.1	192.168.2.4	0x8ee8	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:04.279120922 CET	1.1.1.1	192.168.2.4	0xde64	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:04.438136101 CET	1.1.1.1	192.168.2.4	0xda82	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:04.438136101 CET	1.1.1.1	192.168.2.4	0xda82	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:04.438136101 CET	1.1.1.1	192.168.2.4	0xda82	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:04.438136101 CET	1.1.1.1	192.168.2.4	0xda82	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.012655973 CET	1.1.1.1	192.168.2.4	0x71c4	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.012655973 CET	1.1.1.1	192.168.2.4	0x71c4	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.012655973 CET	1.1.1.1	192.168.2.4	0x71c4	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.012655973 CET	1.1.1.1	192.168.2.4	0x71c4	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.167774916 CET	1.1.1.1	192.168.2.4	0xc46e	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.167774916 CET	1.1.1.1	192.168.2.4	0xc46e	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.167774916 CET	1.1.1.1	192.168.2.4	0xc46e	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.167774916 CET	1.1.1.1	192.168.2.4	0xc46e	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.226969957 CET	1.1.1.1	192.168.2.4	0xf813	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:44:16.226969957 CET	1.1.1.1	192.168.2.4	0xf813	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.255834103 CET	1.1.1.1	192.168.2.4	0xab46	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:44:16.255834103 CET	1.1.1.1	192.168.2.4	0xab46	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:16.306876898 CET	1.1.1.1	192.168.2.4	0xddea	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 18:44:16.306876898 CET	1.1.1.1	192.168.2.4	0xddea	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 18:44:16.306876898 CET	1.1.1.1	192.168.2.4	0xddea	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 18:44:16.306876898 CET	1.1.1.1	192.168.2.4	0xddea	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 18:44:16.367691040 CET	1.1.1.1	192.168.2.4	0x312c	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:19.543587923 CET	1.1.1.1	192.168.2.4	0xb0cb	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:44:19.543587923 CET	1.1.1.1	192.168.2.4	0xb0cb	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:44:37.525784969 CET	1.1.1.1	192.168.2.4	0x8b8f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:44:45.469886065 CET	1.1.1.1	192.168.2.4	0x1ed5	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:45:20.362361908 CET	1.1.1.1	192.168.2.4	0x9323	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:45:20.362361908 CET	1.1.1.1	192.168.2.4	0x9323	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:46:40.357099056 CET	1.1.1.1	192.168.2.4	0xd133	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:46:40.497162104 CET	1.1.1.1	192.168.2.4	0x787c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:46:41.949698925 CET	1.1.1.1	192.168.2.4	0xd3d7	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:46:41.949698925 CET	1.1.1.1	192.168.2.4	0xd3d7	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:46:47.133095980 CET	1.1.1.1	192.168.2.4	0xe9bd	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 18:46:48.498130083 CET	1.1.1.1	192.168.2.4	0xcf9d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 18:46:48.498130083 CET	1.1.1.1	192.168.2.4	0xcf9d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.107.221.82	80	6348	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 18:43:49.425836086 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 18:43:50.559472084 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 67107 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49746	34.107.221.82	80	6348	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 18:43:51.011532068 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 18:43:52.208276033 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 59687 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49749	34.107.221.82	80	6348	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 18:43:52.005098104 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 18:43:53.136281013 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 39355 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 18:43:55.635548115 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 18:43:55.961524010 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 39358 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 18:44:01.358333111 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 18:44:01.729387999 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 39364 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 18:44:05.649337053 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 18:44:06.039623976 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 39368 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 18:44:16.045922041 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:44:17.126540899 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 18:44:17.616759062 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 39380 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 18:44:18.955274105 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 18:44:19.280347109 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 39382 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 18:44:29.287476063 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:44:35.714617968 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 18:44:36.044306040 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 39398 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 18:44:38.848634005 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 18:44:39.175262928 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 39402 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 18:44:46.714648008 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 18:44:47.080862999 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 39409 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 18:44:57.087817907 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:45:07.217041969 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:45:17.345777035 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:45:20.201828003 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 18:45:20.544298887 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 39443 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 18:45:30.558628082 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:45:40.697324991 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:45:50.827152014 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:46:00.955281019 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:46:11.084059000 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:46:41.776842117 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 18:46:42.131035089 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 39524 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49755	34.107.221.82	80	6348	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 18:43:55.709832907 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 18:43:56.866542101 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 59691 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 18:44:00.962299109 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 18:44:01.292196989 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 59696 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 18:44:02.563982010 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 18:44:02.895370007 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 59697 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 18:44:06.189374924 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 18:44:06.513788939 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 59701 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 18:44:16.516097069 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:44:17.618927956 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 18:44:17.954576969 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 59712 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 18:44:19.283245087 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 18:44:19.607842922 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 59714 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 18:44:29.619663000 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:44:36.047332048 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 18:44:36.378464937 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 59731 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 18:44:39.179395914 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 18:44:39.510102034 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 59734 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 18:44:47.083509922 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 18:44:47.414197922 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 59742 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 18:44:57.419893026 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:45:07.549197912 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:45:17.677949905 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:45:20.548021078 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 18:45:20.878638029 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 59775 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 18:45:30.890805960 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:45:41.029428959 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:45:51.159326077 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:46:01.287446022 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:46:11.447504044 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 18:46:42.134248018 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 18:46:42.466005087 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 59857 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.4	50055	34.107.221.82	80

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 18:46:48.630606890 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 18:46:49.761940002 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 23:05:23 GMT Age: 67286 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.4	50056	34.107.221.82	80

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 18:46:49.884763002 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 18:46:51.027906895 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 00:44:18 GMT Age: 61352 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	12:43:40
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x3a0000
File size:	922'112 bytes
MD5 hash:	45538B3F1D09A4C8428DED3E62112646
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:43:40
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xe70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:43:40
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:43:42
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xe70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:43:42
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:43:42
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xe70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:43:42
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:43:42
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xe70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:43:42
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0xb90000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:43:42
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xe70000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:43:42
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:43:43
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:43:43
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:43:43
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	12:43:44
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2268 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0590ddfb-40e1-4d22-93f3-32ecdcb7185d} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 1a84756f510 socket
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	12:43:46
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4148 -parentBuildID 20230927232528 -prefsHandle 4204 -prefMapHandle 4196 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {429ab7b8-4f74-4e64-a7bd-da10c280bcea} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 1a8598a2810 rdd
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	12:43:51
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5148 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8adebb1d-ed68-4c68-8123-8531c6a1a629} 6348 "\\.\pipe\gecko-crash-server-pipe.6348" 1a858849110 utility
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	1548
Total number of Limit Nodes:	63

Executed Functions

Function 003A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003A430D

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

GetCurrentProcess.KERNEL32(?,0043CB64,00000000,?,?), ref: 003A4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 003A4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 003A4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003A4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 003A4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 003A447B
GetSystemInfo.KERNEL32(?,?,?), ref: 003A44A0

Strings

GetNativeSystemInfo, xrefs: 003A4460
kernel32.dll, xrefs: 003A444F
|O, xrefs: 003E36F8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 80f76c5144183cff18615aff95e68e2a92ab2c5c7b810a88973ac251a5498dd0
Instruction ID: cdcf4f6a6d0b7e20ba1d5d5dac765f50d4eb077023437fdc2d7c719203d33c94
Opcode Fuzzy Hash: 80f76c5144183cff18615aff95e68e2a92ab2c5c7b810a88973ac251a5498dd0
Instruction Fuzzy Hash: A2A1087190A2D0CFEB23CB7E7C845957FE4AB67300B0459B9E88D97AB1D2604598CB2D

Function 003A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003A50AA,?,?,00000000,00000000), ref: 003A42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003A50AA,?,?,00000000,00000000), ref: 003A42C9
LoadResource.KERNEL32(?,00000000,?,?,003A50AA,?,?,00000000,00000000,?,?,?,?,?,?,003A4F20), ref: 003E35BE
SizeofResource.KERNEL32(?,00000000,?,?,003A50AA,?,?,00000000,00000000,?,?,?,?,?,?,003A4F20), ref: 003E35D3
LockResource.KERNEL32(003A50AA,?,?,003A50AA,?,?,00000000,00000000,?,?,?,?,?,?,003A4F20,?), ref: 003E35E6

Strings

SCRIPT, xrefs: 003A42BF

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 29a3bff3e50df57e2e631ecbd2f8507cb86ea37bfd3ffed449b3093406e551ad
Instruction ID: 2d974cbf590344a5b0d23954deaba7c48ba1bdf7a6e9264fd7edc7ef58a34b69
Opcode Fuzzy Hash: 29a3bff3e50df57e2e631ecbd2f8507cb86ea37bfd3ffed449b3093406e551ad
Instruction Fuzzy Hash: 56118E71640700BFE7228B65DC88F277BBDEBC6B51F204669F402E6290DBB1DC008761

Function 003E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 003A2B6B

Part of subcall function 003A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00471418,?,003A2E7F,?,?,?,00000000), ref: 003A3A78

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00462224), ref: 003E2C10
ShellExecuteW.SHELL32(00000000,?,?,00462224), ref: 003E2C17

Strings

runas, xrefs: 003E2C0B

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: ed775a3ccbedc4b52cf397722dfa95dda5455879c216f49d6aa36586d5004133
Instruction ID: f4069fc6676403f453b5c9b0cf7cfc26fd9426af2c386dcc9e4da3cc31d3bf64
Opcode Fuzzy Hash: ed775a3ccbedc4b52cf397722dfa95dda5455879c216f49d6aa36586d5004133
Instruction Fuzzy Hash: 6311B4712083416BC706FF68D856AAE77A8DB93350F04542EF0466B0E2DF2585498716

Function 0040D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0040D501
Process32FirstW.KERNEL32(00000000,?), ref: 0040D50F
Process32NextW.KERNEL32(00000000,?), ref: 0040D52F
CloseHandle.KERNELBASE(00000000), ref: 0040D5DC

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b693cfdca4fd5914d2e54134a55a744e695d4ee230800fc65944f0ee1182426b
Instruction ID: 6f35c0ed5c1bd0b9cf7c778e18a94ff71c3c959c05fadc653c731fb0ad34abd0
Opcode Fuzzy Hash: b693cfdca4fd5914d2e54134a55a744e695d4ee230800fc65944f0ee1182426b
Instruction Fuzzy Hash: 8031A471508300AFD301EF54CC81AAFBBF8EF9A354F14092EF581A61A1EB759949CB92

Function 0040DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,003E5222), ref: 0040DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0040DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0040DBEE
FindClose.KERNEL32(00000000), ref: 0040DBFA

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 338ebca8c96b82a0103eaa10289bf229bf75e6dda892f0039f59740440dc1614
Instruction ID: eacd654cd97aa75b86b22268a6fe1f96077cac960eaf5d36f6bbc8f674144be0
Opcode Fuzzy Hash: 338ebca8c96b82a0103eaa10289bf229bf75e6dda892f0039f59740440dc1614
Instruction Fuzzy Hash: 0FF0A031C1892057D2206BB8AC4D8AB3B6C9E01334B144763F836E21E0EBB459598A9E

Function 003C4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(003D28E9,?,003C4CBE,003D28E9,004688B8,0000000C,003C4E15,003D28E9,00000002,00000000,?,003D28E9), ref: 003C4D09
TerminateProcess.KERNEL32(00000000,?,003C4CBE,003D28E9,004688B8,0000000C,003C4E15,003D28E9,00000002,00000000,?,003D28E9), ref: 003C4D10
ExitProcess.KERNEL32 ref: 003C4D22

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 93fe0b7deb73769bff94b22c7359644a3b741bafb39efc746463e18fd6be8697
Instruction ID: 1da31d699d4df0efb848b0755c587ef74741236f732a029a14550f94c3b96726
Opcode Fuzzy Hash: 93fe0b7deb73769bff94b22c7359644a3b741bafb39efc746463e18fd6be8697
Instruction Fuzzy Hash: 84E0B631000148ABCF12BF64DD9EF983B69EB41791B114428FC06DA223CB36DD52DB84

Function 003ABF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#G, xrefs: 003F07CE

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#G
API String ID: 3964851224-4255191568
Opcode ID: 5275024a693c28b939aa33d2bb5a4d92856cabb132f641792f98b159d0a5b677
Instruction ID: 3376a8036cddd53de087475e7f6a6b4bae4b74fdc83be9a64f91629ed482eaf8
Opcode Fuzzy Hash: 5275024a693c28b939aa33d2bb5a4d92856cabb132f641792f98b159d0a5b677
Instruction Fuzzy Hash: 00A27A706083018FCB16DF28C480B6AB7E5FF8A304F15996DE99A8B352D775EC45CB92

Function 0042AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0042B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0042B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0042B1D4
_wcslen.LIBCMT ref: 0042B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0042B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0042B236
_wcslen.LIBCMT ref: 0042B332

Part of subcall function 004105A7: GetStdHandle.KERNEL32(000000F6), ref: 004105C6

_wcslen.LIBCMT ref: 0042B34B
_wcslen.LIBCMT ref: 0042B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0042B3B6
GetLastError.KERNEL32(00000000), ref: 0042B407
CloseHandle.KERNEL32(?), ref: 0042B439
CloseHandle.KERNEL32(00000000), ref: 0042B44A
CloseHandle.KERNEL32(00000000), ref: 0042B45C
CloseHandle.KERNEL32(00000000), ref: 0042B46E
CloseHandle.KERNEL32(?), ref: 0042B4E3

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: aa3b0378b824eb521549a21ae21bd4ad51fe3965dc76b992ee41837ca976c7b3
Instruction ID: 3e256a06a021b66105df92e2ac26b85da5bdd145f989dd33d768d28b2f7502b0
Opcode Fuzzy Hash: aa3b0378b824eb521549a21ae21bd4ad51fe3965dc76b992ee41837ca976c7b3
Instruction Fuzzy Hash: 8FF188316043109FC715EF24D891B6BBBE1EF85314F18855EF8999B2A2DB38EC40CB96

Function 003AD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003AD807
timeGetTime.WINMM ref: 003ADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003ADB28
TranslateMessage.USER32(?), ref: 003ADB7B
DispatchMessageW.USER32(?), ref: 003ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003ADB9F
Sleep.KERNELBASE(0000000A), ref: 003ADBB1

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 76beb0e8fcb163a38989907ee5eba860ce80b7c9b4d233c2a53633493faf0865
Instruction ID: 1a8c76cfe7be046366af91dc234b3d7a4a45ad4b9fa573ba6a15c709f6f8c126
Opcode Fuzzy Hash: 76beb0e8fcb163a38989907ee5eba860ce80b7c9b4d233c2a53633493faf0865
Instruction Fuzzy Hash: 3542E370608345DFD72ACF24C884BBAB7E4FF46304F15452DE9968BAA1D774E844CB92

Function 003A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003A2D07
RegisterClassExW.USER32(00000030), ref: 003A2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003A2D42
InitCommonControlsEx.COMCTL32(?), ref: 003A2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003A2D6F
LoadIconW.USER32(000000A9), ref: 003A2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003A2D94

Strings

AutoIt v3 GUI, xrefs: 003A2D23
0, xrefs: 003A2CE9
TaskbarCreated, xrefs: 003A2D37
+, xrefs: 003A2CF0

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2e91d89bf69aa7acc606c10636676af2d136dab7a4c64b4ba1fc5ae85b74d2ad
Instruction ID: 9d1f93faa09160f8171bbd717473f41909e3845400209a916113567fe63d2a9f
Opcode Fuzzy Hash: 2e91d89bf69aa7acc606c10636676af2d136dab7a4c64b4ba1fc5ae85b74d2ad
Instruction Fuzzy Hash: 6721F7B5911309AFDB00DFA8EC89BDDBBB4FB08700F00512AFA15B62A0D7B54580CF98

Function 003E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003E039A: CreateFileW.KERNELBASE(00000000,00000000,?,003E0704,?,?,00000000,?,003E0704,00000000,0000000C), ref: 003E03B7

GetLastError.KERNEL32 ref: 003E076F
__dosmaperr.LIBCMT ref: 003E0776
GetFileType.KERNELBASE(00000000), ref: 003E0782
GetLastError.KERNEL32 ref: 003E078C
__dosmaperr.LIBCMT ref: 003E0795
CloseHandle.KERNEL32(00000000), ref: 003E07B5
CloseHandle.KERNEL32(?), ref: 003E08FF
GetLastError.KERNEL32 ref: 003E0931
__dosmaperr.LIBCMT ref: 003E0938

Strings

H, xrefs: 003E08BD

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 0bd8084db5d44302610fb767dcba0172da7c2ea6047a2b44a74e0f329bdf8110
Instruction ID: 560b104717e6a31760316768dff206fa5b6a794ceb119908bd7a4c0203eb45af
Opcode Fuzzy Hash: 0bd8084db5d44302610fb767dcba0172da7c2ea6047a2b44a74e0f329bdf8110
Instruction Fuzzy Hash: 51A11436A041948FDF1EAF68D891BAD7BA1AB06320F14025DF815EF3D1C7719C52CB91

Function 003A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00471418,?,003A2E7F,?,?,?,00000000), ref: 003A3A78

Part of subcall function 003A3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003A3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003A356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003E318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003E31CE
RegCloseKey.ADVAPI32(?), ref: 003E3210
_wcslen.LIBCMT ref: 003E3277
_wcslen.LIBCMT ref: 003E3286

Strings

\, xrefs: 003E328C
Include, xrefs: 003E3184, 003E31C5
\Include\, xrefs: 003A3527
Software\AutoIt v3\AutoIt, xrefs: 003A3560

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 857f52bff3cab9e20a30c0f853f6b6e467b86e749128fdc20136588ef6c5794b
Instruction ID: 2c408468d568014130fa71f030f8fa657cc9c9da3a8608320814bdf864708215
Opcode Fuzzy Hash: 857f52bff3cab9e20a30c0f853f6b6e467b86e749128fdc20136588ef6c5794b
Instruction Fuzzy Hash: A3719F714043109EC315EF75DD859ABBBE8FF89340F40493EF9899B1A0DBB49A88CB55

Function 003A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 003A2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 003A2B9D
LoadIconW.USER32(00000063), ref: 003A2BB3
LoadIconW.USER32(000000A4), ref: 003A2BC5
LoadIconW.USER32(000000A2), ref: 003A2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003A2BEF
RegisterClassExW.USER32(?), ref: 003A2C40

Part of subcall function 003A2CD4: GetSysColorBrush.USER32(0000000F), ref: 003A2D07
Part of subcall function 003A2CD4: RegisterClassExW.USER32(00000030), ref: 003A2D31
Part of subcall function 003A2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003A2D42
Part of subcall function 003A2CD4: InitCommonControlsEx.COMCTL32(?), ref: 003A2D5F
Part of subcall function 003A2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003A2D6F
Part of subcall function 003A2CD4: LoadIconW.USER32(000000A9), ref: 003A2D85
Part of subcall function 003A2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003A2D94

Strings

0, xrefs: 003A2C0F
#, xrefs: 003A2C16
AutoIt v3, xrefs: 003A2C2F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 4adc9efb5ae31bdbb09749e1cab7112eaf8700756627255d7f0f6847f29b75fa
Instruction ID: 2c00c2c114d2e1e558f8aa06a07151190baddfe3c30ff11228ad8e7262e553d4
Opcode Fuzzy Hash: 4adc9efb5ae31bdbb09749e1cab7112eaf8700756627255d7f0f6847f29b75fa
Instruction Fuzzy Hash: F3211A75E00314ABEB109FA9EC95A9D7FB4FB48B50F00403AE909B66B0D7B54584CF98

Function 003A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,003A316A,?,?), ref: 003A31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,003A316A,?,?), ref: 003A3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003A3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,003A316A,?,?), ref: 003A3232
CreatePopupMenu.USER32 ref: 003A3246
PostQuitMessage.USER32(00000000), ref: 003A3267

Strings

TaskbarCreated, xrefs: 003A322D

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 79c9b1b4d43253059b669159bc2de4c4a6ee45f5c47f9d00013a46e0c9be91c7
Instruction ID: 59ca47818344c43c145c82a28e3e0bae1430118aebcb1a170891f1309a38afff
Opcode Fuzzy Hash: 79c9b1b4d43253059b669159bc2de4c4a6ee45f5c47f9d00013a46e0c9be91c7
Instruction Fuzzy Hash: F5414971240204ABDB172B7CDD4EBBA361DEB47340F044236FA1A965F1C774CA40C7A9

Function 003A1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003A1459
CoUninitialize.COMBASE ref: 003A14F8
UnregisterHotKey.USER32(?), ref: 003A16DD
DestroyWindow.USER32(?), ref: 003E24B9
FreeLibrary.KERNEL32(?), ref: 003E251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 003E254B

Strings

close all, xrefs: 003A1454

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 171411a1971afb0c33a2c38fa4799c6a421fc572efa65fcfc1999b001599ee87
Instruction ID: 2e789b8f4a6f77f389c3cfba5d32c70034950b250a79481622e5e16a7757b6ac
Opcode Fuzzy Hash: 171411a1971afb0c33a2c38fa4799c6a421fc572efa65fcfc1999b001599ee87
Instruction Fuzzy Hash: C7D16E317012228FCB1AEF16C995B69F7A8FF06700F1542ADE54AAB691CB30AD12CF54

Function 003A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003A2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003A2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,003A1CAD,?), ref: 003A2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,003A1CAD,?), ref: 003A2CCF

Strings

edit, xrefs: 003A2CAC
AutoIt v3, xrefs: 003A2C89, 003A2C8E, 003A2C8F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2864110aea37e5732fb0e4da754934255917eba41f29c7d338f1483ea0547595
Instruction ID: 465c1ced99c810d649d683867ade72394af663f0cfb0c8c54b47cf9a3499a597
Opcode Fuzzy Hash: 2864110aea37e5732fb0e4da754934255917eba41f29c7d338f1483ea0547595
Instruction Fuzzy Hash: 9FF03A755403907AFB30072BAC49F773EBDD7CAF60F01506AFD08A21B0C2650880DAB8

Function 003A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,003A3B0F,SwapMouseButtons,00000004,?), ref: 003A3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,003A3B0F,SwapMouseButtons,00000004,?), ref: 003A3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,003A3B0F,SwapMouseButtons,00000004,?), ref: 003A3B83

Strings

Control Panel\Mouse, xrefs: 003A3B3E

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: bc186017000da769ea1d4f598cb95283b8be314b4ace8ba69a4d55f3423ac4e7
Instruction ID: e43473a988141a97bb16a64f98eec393747a4b869a1f49d98577e0554e0ed4c0
Opcode Fuzzy Hash: bc186017000da769ea1d4f598cb95283b8be314b4ace8ba69a4d55f3423ac4e7
Instruction Fuzzy Hash: B7112AB5511208FFDB218FA5DC85AAEB7BDEF05744B114469B805E7110D3319E409764

Function 003A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003E33A2

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 003A3A04

Strings

Line: , xrefs: 003E33EB

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 0f6b65c8649e11274e3e75282de69bc97f73c011e6640d385d10bac14a526cbb
Instruction ID: f64b7998e09ada30084848c292368d55a2cbdb2fe2bd882a687536550c1eb47a
Opcode Fuzzy Hash: 0f6b65c8649e11274e3e75282de69bc97f73c011e6640d385d10bac14a526cbb
Instruction Fuzzy Hash: 6331C271508310AAD722EB24DC4AFEBB7ECEB42710F10452EF599970E1DB749A48C7D6

Function 003A2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 003E2C8C

Part of subcall function 003A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003A3A97,?,?,003A2E7F,?,?,?,00000000), ref: 003A3AC2

Part of subcall function 003A2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003A2DC4

Strings

X, xrefs: 003E2C5A
`eF, xrefs: 003E2C85

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eF
API String ID: 779396738-787741465
Opcode ID: 4c51e7255c510f98c37293877abe612a7bed420b3ab6f1d105758feb170243ff
Instruction ID: a9e80ff8c06d5e0fd9da3f3464549ec3711bce461d9d70c40a7a78e3cfd638ce
Opcode Fuzzy Hash: 4c51e7255c510f98c37293877abe612a7bed420b3ab6f1d105758feb170243ff
Instruction Fuzzy Hash: 4621A871A00298AFDB02DF99C845BDE7BFCDF49304F00805AE405FB241DBB859898FA5

Function 003BFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 003C0668

Part of subcall function 003C32A4: RaiseException.KERNEL32(?,?,?,003C068A,?,00471444,?,?,?,?,?,?,003C068A,003A1129,00468738,003A1129), ref: 003C3304

__CxxThrowException@8.LIBVCRUNTIME ref: 003C0685

Strings

Unknown exception, xrefs: 003C0692

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: aec9b1e7275ab4c2e7b7d0b9723d868ac30fb84faec8b03c3ee34b9a100258e1
Instruction ID: af8b2ec75f7de125852767287f24a0f7cc3c61454f8bebe479270d07e98a6bb6
Opcode Fuzzy Hash: aec9b1e7275ab4c2e7b7d0b9723d868ac30fb84faec8b03c3ee34b9a100258e1
Instruction Fuzzy Hash: 0EF0C23490024DBB8F06BAA4DC4AE9E7B6C9E00314F60853DB914DA995EF71DE29C781

Function 003A10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 003A1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003A1BF4
Part of subcall function 003A1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 003A1BFC
Part of subcall function 003A1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003A1C07
Part of subcall function 003A1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003A1C12
Part of subcall function 003A1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 003A1C1A
Part of subcall function 003A1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 003A1C22

Part of subcall function 003A1B4A: RegisterWindowMessageW.USER32(00000004,?,003A12C4), ref: 003A1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003A136A
OleInitialize.OLE32 ref: 003A1388
CloseHandle.KERNEL32(00000000,00000000), ref: 003E24AB

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 2e097b47c4903157907b47f4e33bbf2a59778fcbd0697762814de0b78037853b
Instruction ID: c6518eb75e90e5a02f999334ac52cde565d2b57cdb365a05410f88278e4516b5
Opcode Fuzzy Hash: 2e097b47c4903157907b47f4e33bbf2a59778fcbd0697762814de0b78037853b
Instruction Fuzzy Hash: F571B9B4921200AFC388EF7EA9866953BE4FB89344B15863ED00EDB271EB344484CF4D

Function 0040C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 003A3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0040C259
KillTimer.USER32(?,00000001,?,?), ref: 0040C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040C270

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: ea9c976d050e3e5412e5ea67c42e4d407f1236bf62de37432102206b884f4bcd
Instruction ID: 7949a343860ce786be424aada221ba9115aefebeda20f92d76ea44e9c482b366
Opcode Fuzzy Hash: ea9c976d050e3e5412e5ea67c42e4d407f1236bf62de37432102206b884f4bcd
Instruction Fuzzy Hash: 71319570904344EFEB229F648895BEBBBEC9F16304F0004EEE5DAA7281C7785A85CB55

Function 003D86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,003D85CC,?,00468CC8,0000000C), ref: 003D8704
GetLastError.KERNEL32(?,003D85CC,?,00468CC8,0000000C), ref: 003D870E
__dosmaperr.LIBCMT ref: 003D8739

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 0c98094c782ac643098b8748da5b7605d2af1fde983ae1f54c227ee1e92b0946
Instruction ID: e12fab6a0cd84eb7ac4b9f5cf054dfb45fa72814efe36dd01515ec44b9c9d415
Opcode Fuzzy Hash: 0c98094c782ac643098b8748da5b7605d2af1fde983ae1f54c227ee1e92b0946
Instruction Fuzzy Hash: C0014E37B0566026D72767347845B7E6B498B81774F3A011BF9189F3D2DEA0EC818294

Function 003ADB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 003ADB7B
DispatchMessageW.USER32(?), ref: 003ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003ADB9F
Sleep.KERNELBASE(0000000A), ref: 003ADBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 003F1CC9

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 7bd427fac42ef2a2bdae29674f91f99417cf23808983abd87f0af67cb0676894
Instruction ID: 4516ea2ad11b25deee93b31bfd9386b85b4b359f68778fc2327137e7c085415c
Opcode Fuzzy Hash: 7bd427fac42ef2a2bdae29674f91f99417cf23808983abd87f0af67cb0676894
Instruction Fuzzy Hash: 58F05E306043459BE731DB649C99FEA73ACEB45310F114929E65A934D0DB3494888B2A

Function 003B1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003B17F6

Strings

CALL, xrefs: 003B17C6

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 455c3e6f8d6048b9c6e38e62bf33ec8269c0677844e31e20f0fad24e9f1d8a3d
Instruction ID: 0639a38b6c6cd5934bacb601d8efe78c28dd7b76c59f23aadc0f46865f7489d6
Opcode Fuzzy Hash: 455c3e6f8d6048b9c6e38e62bf33ec8269c0677844e31e20f0fad24e9f1d8a3d
Instruction Fuzzy Hash: 4B22AD70608201DFC716DF14C491BAABBF5BF85318F64892DF68A8BB61D731E941CB92

Function 003A3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 003A3908

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: c6d11adb32d7aff48f6b11e406b1c4b164f41a7668d42a30b23e61e1d6513f9f
Instruction ID: 11a8e26e2dd0d818e9eadfcab6f7187151542f6f884b495973a037bcbe69d972
Opcode Fuzzy Hash: c6d11adb32d7aff48f6b11e406b1c4b164f41a7668d42a30b23e61e1d6513f9f
Instruction Fuzzy Hash: 2831A570504301DFE722DF34D885B97BBE8FB4A708F00092EF99997290E775AA48CB56

Function 003BF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 003BF661

Part of subcall function 003AD730: GetInputState.USER32 ref: 003AD807

Sleep.KERNEL32(00000000), ref: 003FF2DE

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: b2bc3b135ac76886bbebc8f9900d954e200fa6890ef56debc849f8396420837e
Instruction ID: a00e1ccaa56ff793792efda6ac35d1c1518ef7f72d53c3a50e81b0c80f1c43f3
Opcode Fuzzy Hash: b2bc3b135ac76886bbebc8f9900d954e200fa6890ef56debc849f8396420837e
Instruction Fuzzy Hash: 14F08C31240205AFD314EF69D859B6AF7E9EF4A760F004029E85ADB662DB70A800CB94

Function 003A4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003A4EDD,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4E9C
Part of subcall function 003A4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003A4EAE
Part of subcall function 003A4E90: FreeLibrary.KERNEL32(00000000,?,?,003A4EDD,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4EFD

Part of subcall function 003A4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003E3CDE,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4E62
Part of subcall function 003A4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003A4E74
Part of subcall function 003A4E59: FreeLibrary.KERNEL32(00000000,?,?,003E3CDE,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4E87

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ba1bd3ddf41ccfa678505a0c8d679d6a269b88e5f718757bdadafc8ed8052207
Instruction ID: 20a8487d3c7f4310591515319ba4576a231d6d0125a39c0deae1ec74c1e683a4
Opcode Fuzzy Hash: ba1bd3ddf41ccfa678505a0c8d679d6a269b88e5f718757bdadafc8ed8052207
Instruction Fuzzy Hash: 2D110132600205AACB12AB60D802FAD77A4EF81B10F20842EF452AB1C1EEB4EE049750

Function 003D8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 003D8440

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 94e140ac6038e3a8f89346420663afa80568034fefd4cd3c51180d272adfe946
Instruction ID: 84dc87165609e32621877e202841756117207cfa907e72029458463143146815
Opcode Fuzzy Hash: 94e140ac6038e3a8f89346420663afa80568034fefd4cd3c51180d272adfe946
Instruction Fuzzy Hash: 78111C7690410AAFCB06DF59E94199A7BF9EF48314F11405AF808AB312D731EA11CB65

Function 003D5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003D4C7D: RtlAllocateHeap.NTDLL(00000008,003A1129,00000000,?,003D2E29,00000001,00000364,?,?,?,003CF2DE,003D3863,00471444,?,003BFDF5,?), ref: 003D4CBE

_free.LIBCMT ref: 003D506C

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 139604d12a0e7bb769edea34b0a3a0b3bc39fdab9abe2da0d9f981754e31098b
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 840126736047046BE3228E65A881A9AFBECFB89370F25051EE18487380EA30A905C6B4

Function 003CE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 72986ef49783b265399a673e6924910dae80ce86354ce7ba80e4fc38d0c0104e
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8CF0D132521A10AAC6333A79AC05F5A339C9F62330F11072EF421DA2D2DB74AC1187A5

Function 003D4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,003A1129,00000000,?,003D2E29,00000001,00000364,?,?,?,003CF2DE,003D3863,00471444,?,003BFDF5,?), ref: 003D4CBE

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 463c93d3b8d707f921153ae4f8d94e4b9a0f19efb054e2336577f86b354d8345
Instruction ID: 9af41523a455a8479d0263c2e7ea0f960e0b51643e7d2ea4fab73dc2dec5d7ca
Opcode Fuzzy Hash: 463c93d3b8d707f921153ae4f8d94e4b9a0f19efb054e2336577f86b354d8345
Instruction Fuzzy Hash: 85F0B43366222477DB235F62BC05F5A3789BF51BA1B168127F819EB390CA70DC0197A0

Function 003D3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00471444,?,003BFDF5,?,?,003AA976,00000010,00471440,003A13FC,?,003A13C6,?,003A1129), ref: 003D3852

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f6ae54e89b57b78a65adf107f11770a6a1014cd6cd2b4bc95a179b186ffd4fc3
Instruction ID: 90c8ad2ed99ca276e8d5bd9b4f78747b2225b28587bec2fbb88f71be7df83c8d
Opcode Fuzzy Hash: f6ae54e89b57b78a65adf107f11770a6a1014cd6cd2b4bc95a179b186ffd4fc3
Instruction Fuzzy Hash: E9E0E53310022456E6232676BC00F9A364AAF427B0F0A0036BC04DAA90CB50DD05A3E3

Function 003A4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4F6D

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e7edcfde07b5f98b32614195dae37e6124f3ff95ff9f8254532781acdab52028
Instruction ID: 826923d22e4ce24a2c83aef1c05b20236eddb9df059cbebdc79dce0c57dcfea9
Opcode Fuzzy Hash: e7edcfde07b5f98b32614195dae37e6124f3ff95ff9f8254532781acdab52028
Instruction Fuzzy Hash: 9CF0A971005342CFCB368F20E490822BBE4EF52329320997EE1EA82A20C7B19844EF00

Function 00432A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00432A66

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: d740433bc5bd38899fc5a33252d20667af28adae5f88065add8b1ed3379d19a7
Instruction ID: 29f3da946227c8c0c46a3e3212c093135329c685d6ae0c8d1b59014e98e022ff
Opcode Fuzzy Hash: d740433bc5bd38899fc5a33252d20667af28adae5f88065add8b1ed3379d19a7
Instruction Fuzzy Hash: 3EE0DF72350116ABC710FB31EC808FA735CEF54799B00003BEC16D2180DB78899286AC

Function 003A30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 003A314E

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: d5cc10bc45f6a3ad8c3df7c2a621867ecb3f1c91b9df079047a32cf6b82d7947
Instruction ID: 4064b8524fd793c6eec0457b24894c8826c8ebaa35d31cf0f335e74b4038ac5e
Opcode Fuzzy Hash: d5cc10bc45f6a3ad8c3df7c2a621867ecb3f1c91b9df079047a32cf6b82d7947
Instruction Fuzzy Hash: A6F037709143549FE7539B24DC4A7D67BBCAB01708F0000F9A54C96292DB745BC8CF55

Function 003A2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003A2DC4

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 4da607989bd34ce89b3bf099a032f71b0d4d98cc5abe2792d2f7d47693f59373
Instruction ID: 61859b6f21a0532f0c9cc6c4f25f510b391034b77de347219e4f10aeeca5d67b
Opcode Fuzzy Hash: 4da607989bd34ce89b3bf099a032f71b0d4d98cc5abe2792d2f7d47693f59373
Instruction Fuzzy Hash: A9E0CD72A001345BCB1192599C06FDA77DDDFC8790F0401B1FD09E7248D970AD808690

Function 003A2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003A3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003A3908

Part of subcall function 003AD730: GetInputState.USER32 ref: 003AD807

SetCurrentDirectoryW.KERNEL32(?), ref: 003A2B6B

Part of subcall function 003A30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 003A314E

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 40105a84da426a120d47af4c379d7a71dd7ba7e09ef3366b7a40b2a59c41c0b8
Instruction ID: 73af5e25fa73d7516651bf0732cc5c6ec47f1b4057899e6c1d671e70cb41094c
Opcode Fuzzy Hash: 40105a84da426a120d47af4c379d7a71dd7ba7e09ef3366b7a40b2a59c41c0b8
Instruction Fuzzy Hash: 17E0CD3230424407C60ABB78A8565BDB75DDBD3351F40557FF14B5B173CF2945494356

Function 003E039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,003E0704,?,?,00000000,?,003E0704,00000000,0000000C), ref: 003E03B7

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 64d40dd1055565d91e0d6b855dffacbed11a5f71b1a134baf78bacda0cdbd98d
Instruction ID: e085694b419872800f02f588c92dbceb6e1c876956b1efe74cdf8b08804c0ced
Opcode Fuzzy Hash: 64d40dd1055565d91e0d6b855dffacbed11a5f71b1a134baf78bacda0cdbd98d
Instruction Fuzzy Hash: 99D06C3204010DBBDF028F84DD46EDA3BAAFB48714F014010BE1866060C732E821AB94

Function 003A1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 003A1CBC

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 913f3613021674956c8c23ecfb34686b951f56ace3d3b06f65f547864e941051
Instruction ID: 343724beb48bf14f96c1e852fb7eb7e43ccd915cfa3d6725f76d8c2fd65da39e
Opcode Fuzzy Hash: 913f3613021674956c8c23ecfb34686b951f56ace3d3b06f65f547864e941051
Instruction Fuzzy Hash: D7C09236280314FFF2148B94BD8AF107764A348B00F048021FA4EB95F3C3E228A0EB68

Non-executed Functions

Function 00439576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0043961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0043965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0043969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004396C9
SendMessageW.USER32 ref: 004396F2
GetKeyState.USER32(00000011), ref: 0043978B
GetKeyState.USER32(00000009), ref: 00439798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004397AE
GetKeyState.USER32(00000010), ref: 004397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004397E9
SendMessageW.USER32 ref: 00439810
SendMessageW.USER32(?,00001030,?,00437E95), ref: 00439918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0043992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00439941
SetCapture.USER32(?), ref: 0043994A
ClientToScreen.USER32(?,?), ref: 004399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004399D6
ReleaseCapture.USER32 ref: 004399E1
GetCursorPos.USER32(?), ref: 00439A19
ScreenToClient.USER32(?,?), ref: 00439A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00439A80
SendMessageW.USER32 ref: 00439AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00439AEB
SendMessageW.USER32 ref: 00439B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00439B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00439B4A
GetCursorPos.USER32(?), ref: 00439B68
ScreenToClient.USER32(?,?), ref: 00439B75
GetParent.USER32(?), ref: 00439B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00439BFA
SendMessageW.USER32 ref: 00439C2B
ClientToScreen.USER32(?,?), ref: 00439C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00439CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00439CDE
SendMessageW.USER32 ref: 00439D01
ClientToScreen.USER32(?,?), ref: 00439D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00439D82

Part of subcall function 003B9944: GetWindowLongW.USER32(?,000000EB), ref: 003B9952

GetWindowLongW.USER32(?,000000F0), ref: 00439E05

Strings

F, xrefs: 00439D07
@GUI_DRAGID, xrefs: 0043997D
p#G, xrefs: 00439990

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#G
API String ID: 3429851547-61952446
Opcode ID: 9d0530efc3e63decea99eeba50580244bc9a5ccfdcdb532e5eec79eb3b19aa62
Instruction ID: feee23764ab3c66a0769747eaf30d846cc9053322491584c606d39b9db18ff3a
Opcode Fuzzy Hash: 9d0530efc3e63decea99eeba50580244bc9a5ccfdcdb532e5eec79eb3b19aa62
Instruction Fuzzy Hash: 3942BD71205200AFD725CF28CC85AABBBE5FF4D310F10162AF6A9972A1D7B59C51CB4A

Function 00434873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00434908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00434927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0043494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0043495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0043497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00434A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00434A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00434A7E
IsMenu.USER32(?), ref: 00434A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00434AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00434B20
GetWindowLongW.USER32(?,000000F0), ref: 00434B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00434BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00434C82
wsprintfW.USER32 ref: 00434CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00434CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00434CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00434D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00434D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00434D5A

Strings

%d/%02d/%02d, xrefs: 00434CA8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 0a8403193967cb95200c13742481945ee3f9dff335493edabaf1c8f32e843a27
Instruction ID: 7fdac37c030665c7e32f42a724f272cdcb57aab14a7d291fd6c8a917ceca05ba
Opcode Fuzzy Hash: 0a8403193967cb95200c13742481945ee3f9dff335493edabaf1c8f32e843a27
Instruction Fuzzy Hash: 7512E171600214ABEB259F24CC49FEF7BF8EF89310F14612AF515EA2E1D778A941CB58

Function 003BF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 003BF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003FF474
IsIconic.USER32(00000000), ref: 003FF47D
ShowWindow.USER32(00000000,00000009), ref: 003FF48A
SetForegroundWindow.USER32(00000000), ref: 003FF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003FF4AA
GetCurrentThreadId.KERNEL32 ref: 003FF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003FF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 003FF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 003FF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 003FF4DE
SetForegroundWindow.USER32(00000000), ref: 003FF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 003FF4F6
keybd_event.USER32(00000012,00000000), ref: 003FF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 003FF50B
keybd_event.USER32(00000012,00000000), ref: 003FF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 003FF519
keybd_event.USER32(00000012,00000000), ref: 003FF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 003FF528
keybd_event.USER32(00000012,00000000), ref: 003FF52D
SetForegroundWindow.USER32(00000000), ref: 003FF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 003FF557

Strings

Shell_TrayWnd, xrefs: 003FF46F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6b06e0f39712d5070352faf18671764d8f8162ee722dfa37f0e1598015dd9611
Instruction ID: 46b3b043b5fc80bdd701ecf6cf8284e7c9aa59e8e22e036a4bd6732e6ea6843a
Opcode Fuzzy Hash: 6b06e0f39712d5070352faf18671764d8f8162ee722dfa37f0e1598015dd9611
Instruction Fuzzy Hash: 1F313071A40218BEEB216BB65C8AFBF7E6CEB44B50F111075FA05F61D1C6B19900AB64

Function 00401201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0040170D
Part of subcall function 004016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0040173A
Part of subcall function 004016C3: GetLastError.KERNEL32 ref: 0040174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00401286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004012A8
CloseHandle.KERNEL32(?), ref: 004012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004012D1
GetProcessWindowStation.USER32 ref: 004012EA
SetProcessWindowStation.USER32(00000000), ref: 004012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00401310

Part of subcall function 004010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004011FC), ref: 004010D4
Part of subcall function 004010BF: CloseHandle.KERNEL32(?,?,004011FC), ref: 004010E9

Strings

winsta0, xrefs: 004012CC
, xrefs: 0040125A
ZF, xrefs: 00401392
default, xrefs: 0040130B

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZF
API String ID: 22674027-1819669305
Opcode ID: 5214d85c5e9d6b9f9e91630709a74b0fe8803e05dd03d5cf33e875c39027a91b
Instruction ID: f9fe1a22c2db29e698cad879b23e9c9c158b185df71a6ce154cb395c089923f9
Opcode Fuzzy Hash: 5214d85c5e9d6b9f9e91630709a74b0fe8803e05dd03d5cf33e875c39027a91b
Instruction Fuzzy Hash: AD816971900249ABDF219FA4DC89FEF7BB9AF04708F14413AF911B62B0D7798954CB29

Function 00400B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00401114
Part of subcall function 004010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 00401120
Part of subcall function 004010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 0040112F
Part of subcall function 004010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 00401136
Part of subcall function 004010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0040114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00400BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00400C00
GetLengthSid.ADVAPI32(?), ref: 00400C17
GetAce.ADVAPI32(?,00000000,?), ref: 00400C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00400C6D
GetLengthSid.ADVAPI32(?), ref: 00400C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00400C8C
HeapAlloc.KERNEL32(00000000), ref: 00400C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00400CB4
CopySid.ADVAPI32(00000000), ref: 00400CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00400CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00400D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00400D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00400D45
HeapFree.KERNEL32(00000000), ref: 00400D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00400D55
HeapFree.KERNEL32(00000000), ref: 00400D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00400D65
HeapFree.KERNEL32(00000000), ref: 00400D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00400D78
HeapFree.KERNEL32(00000000), ref: 00400D7F

Part of subcall function 00401193: GetProcessHeap.KERNEL32(00000008,00400BB1,?,00000000,?,00400BB1,?), ref: 004011A1
Part of subcall function 00401193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00400BB1,?), ref: 004011A8
Part of subcall function 00401193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00400BB1,?), ref: 004011B7

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 2cd5957a60591885642c0486859a59adfaa4e8d66f9b5f9bd9ecb2ec1aec4fff
Instruction ID: fffe7ad7052e07d99e2b3ebe6b53ed17f7e11b45c1041c63a94e00a57eb6335e
Opcode Fuzzy Hash: 2cd5957a60591885642c0486859a59adfaa4e8d66f9b5f9bd9ecb2ec1aec4fff
Instruction Fuzzy Hash: 0D71497690020AABEF109FE4DC84BAFBBB8BF04310F144526E915B6291D779AA05CB74

Function 0041EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0043CC08), ref: 0041EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0041EB37
GetClipboardData.USER32(0000000D), ref: 0041EB43
CloseClipboard.USER32 ref: 0041EB4F
GlobalLock.KERNEL32(00000000), ref: 0041EB87
CloseClipboard.USER32 ref: 0041EB91
GlobalUnlock.KERNEL32(00000000), ref: 0041EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0041EBC9
GetClipboardData.USER32(00000001), ref: 0041EBD1
GlobalLock.KERNEL32(00000000), ref: 0041EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0041EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0041EC38
GetClipboardData.USER32(0000000F), ref: 0041EC44
GlobalLock.KERNEL32(00000000), ref: 0041EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0041EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0041EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0041ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0041ECF3
CountClipboardFormats.USER32 ref: 0041ED14
CloseClipboard.USER32 ref: 0041ED59

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 12c2ebecea9d40ca2350d784163c610f6847a51ab8109c2a68e50647f5fdcd9a
Instruction ID: 275a4bf5e6e16e44bde59c013844e678f01a4546ae40c4f4b5ed6348bd3157f3
Opcode Fuzzy Hash: 12c2ebecea9d40ca2350d784163c610f6847a51ab8109c2a68e50647f5fdcd9a
Instruction Fuzzy Hash: 616104392043029FD300EF21D889F6B77A4EF85714F04546EF846AB2A1CB34ED86CB66

Function 0041698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004169BE
FindClose.KERNEL32(00000000), ref: 00416A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00416A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00416A75

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00416AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00416ADF

Strings

%4d, xrefs: 00416BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00416B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00416B32
%03d, xrefs: 00416DA2
%02d, xrefs: 00416C00, 00416C0A, 00416C5A, 00416CAA, 00416CFA, 00416D4A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: f9b3b001f0770c0016897efbc24b2224ba00df3a887e8a88f96f35093afd9d81
Instruction ID: fe3e9968f09d7ac36a2188bc4407b078831ce6f083e5d675b48f0ccb0369bdc1
Opcode Fuzzy Hash: f9b3b001f0770c0016897efbc24b2224ba00df3a887e8a88f96f35093afd9d81
Instruction Fuzzy Hash: 63D14172508300AEC711EBA4CC95EABB7ECEF89704F04491EF585DA191EB78DA44C762

Function 00419642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00419663
GetFileAttributesW.KERNEL32(?), ref: 004196A1
SetFileAttributesW.KERNEL32(?,?), ref: 004196BB
FindNextFileW.KERNEL32(00000000,?), ref: 004196D3
FindClose.KERNEL32(00000000), ref: 004196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0041974A
SetCurrentDirectoryW.KERNEL32(00466B7C), ref: 00419768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00419772
FindClose.KERNEL32(00000000), ref: 0041977F
FindClose.KERNEL32(00000000), ref: 0041978F

Strings

*.*, xrefs: 004196F5

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 33de2a0ca8db9ff7d5295d187e3c81dd7d88261a5129f7048378487ae0b73cd4
Instruction ID: f3ba040ad9cabe97bb23e3c733c34c5506fb525c112625eac5c357734ab8d535
Opcode Fuzzy Hash: 33de2a0ca8db9ff7d5295d187e3c81dd7d88261a5129f7048378487ae0b73cd4
Instruction Fuzzy Hash: 9D31B332940219AADB14AFB4DC59EDF77AC9F09320F1445A7F815E21D0EB38ED848B28

Function 0041979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 004197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00419819
FindClose.KERNEL32(00000000), ref: 00419824
FindFirstFileW.KERNEL32(*.*,?), ref: 00419840
SetCurrentDirectoryW.KERNEL32(?), ref: 00419890
SetCurrentDirectoryW.KERNEL32(00466B7C), ref: 004198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004198B8
FindClose.KERNEL32(00000000), ref: 004198C5
FindClose.KERNEL32(00000000), ref: 004198D5

Part of subcall function 0040DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0040DB00

Strings

*.*, xrefs: 0041983B

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 3d7f7e95fe931f09c25ea1ff298aa94441cf6d4dac9625b31c6caa88c1bf1511
Instruction ID: 8f47b8fa47fd5d1cf7c724482ea83f0b943194ff0b9dfa3b6edc126785ddb441
Opcode Fuzzy Hash: 3d7f7e95fe931f09c25ea1ff298aa94441cf6d4dac9625b31c6caa88c1bf1511
Instruction Fuzzy Hash: 17317232540619AADB10AFA4DC58ADF77ACAF06324F244567E814E2190DB39DD858B6C

Function 0042BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0042B6AE,?,?), ref: 0042C9B5
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042C9F1
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA68
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0042BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0042BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0042C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0042C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0042C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0042C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0042C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0042C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0042C382
RegCloseKey.ADVAPI32(00000000), ref: 0042C38F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 55dba530adb07d8ee9f75b8c7fa166d9ea4ba87cf5869961fb2395416d6cb5db
Instruction ID: f3912fa9009cd65be713a20c741f9c7afad062162ff742365f7f1cdeba296baf
Opcode Fuzzy Hash: 55dba530adb07d8ee9f75b8c7fa166d9ea4ba87cf5869961fb2395416d6cb5db
Instruction Fuzzy Hash: C1026C706042109FC714CF24C8D1E2ABBE5EF49308F58889DF84ADB2A2DB35EC46CB55

Function 00418195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00418257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00418267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00418273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00418310
SetCurrentDirectoryW.KERNEL32(?), ref: 00418324
SetCurrentDirectoryW.KERNEL32(?), ref: 00418356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0041838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00418395

Strings

*.*, xrefs: 0041839B

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: cc345793c9062e52add1bf202a6fdbe567262cf5a0f864381394604e07ca7d31
Instruction ID: 7fdba9046673994d92eed74ad9bef7bbd1abf7bd7c05f304d8ba9b54bc95e6dc
Opcode Fuzzy Hash: cc345793c9062e52add1bf202a6fdbe567262cf5a0f864381394604e07ca7d31
Instruction Fuzzy Hash: A16159725043459FCB10EF60C880A9FB3E8FF8A314F04496EF99997251DB35E945CB96

Function 0040D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003A3A97,?,?,003A2E7F,?,?,?,00000000), ref: 003A3AC2

Part of subcall function 0040E199: GetFileAttributesW.KERNEL32(?,0040CF95), ref: 0040E19A

FindFirstFileW.KERNEL32(?,?), ref: 0040D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0040D1DD
MoveFileW.KERNEL32(?,?), ref: 0040D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0040D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0040D237

Part of subcall function 0040D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0040D21C,?,?), ref: 0040D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0040D253
FindClose.KERNEL32(00000000), ref: 0040D264

Strings

\*.*, xrefs: 0040D0CD, 0040D0D6, 0040D0EB

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 4c89634b47bb8c7eb77222a81b805e32500c354a86afbc4a8293a9a42e3a9808
Instruction ID: c753b92a5ad6e06ed569f1a2abee4d4accff7f62c05f0d0ee4ca16c8993f97eb
Opcode Fuzzy Hash: 4c89634b47bb8c7eb77222a81b805e32500c354a86afbc4a8293a9a42e3a9808
Instruction Fuzzy Hash: AA614F31C0511D9ACF06EBE0D9929EEB779EF55304F2481AAE4027B191EB385F0DCB65

Function 0041ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0041ED91
EmptyClipboard.USER32 ref: 0041ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0041EDAC
CloseClipboard.USER32 ref: 0041EEA3

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5b43d60a44140faf35313c433e336b7d42469aff8ad53bb1be545b14544b9211
Instruction ID: 9c31c76111b3422b415504560af15a85840419a0220dc3193d6dfba6fc385703
Opcode Fuzzy Hash: 5b43d60a44140faf35313c433e336b7d42469aff8ad53bb1be545b14544b9211
Instruction Fuzzy Hash: 1641A2356046119FD311DF16D889F5ABBE1EF44318F14C0AAE8199F762C735EC82CB94

Function 0040E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0040170D
Part of subcall function 004016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0040173A
Part of subcall function 004016C3: GetLastError.KERNEL32 ref: 0040174A

ExitWindowsEx.USER32(?,00000000), ref: 0040E932

Strings

SeShutdownPrivilege, xrefs: 0040E902
, xrefs: 0040E95C
, xrefs: 0040E920
@, xrefs: 0040E925

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 31e3b3343c14457441919f8b6d37f95ac5d343263ab8b26670760fc8e0ea1c6c
Instruction ID: 8e91018e74535736a6f404a00a281ee54913e7b7526e40e59928ada290faa1b4
Opcode Fuzzy Hash: 31e3b3343c14457441919f8b6d37f95ac5d343263ab8b26670760fc8e0ea1c6c
Instruction Fuzzy Hash: 8001D6B3610211ABEB5426B69CC6FBB726CA714754F154D37FC02F22E2D5B95C50829C

Function 00421204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00421276
WSAGetLastError.WSOCK32 ref: 00421283
bind.WSOCK32(00000000,?,00000010), ref: 004212BA
WSAGetLastError.WSOCK32 ref: 004212C5
closesocket.WSOCK32(00000000), ref: 004212F4
listen.WSOCK32(00000000,00000005), ref: 00421303
WSAGetLastError.WSOCK32 ref: 0042130D
closesocket.WSOCK32(00000000), ref: 0042133C

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: fa51f06f79d8c251c83199ac898c85c5ecbce5cc8fa460b0a86a9918bab6558d
Instruction ID: cd40e1d4191cbde071cc8a3770e1709f6e8eda7a2c62ea5eda8703726cc72b8f
Opcode Fuzzy Hash: fa51f06f79d8c251c83199ac898c85c5ecbce5cc8fa460b0a86a9918bab6558d
Instruction Fuzzy Hash: 9A419031A00110DFD714EF24D484B2ABBE6AF56318F588099E856AF3A2C775ED81CBE5

Function 0040D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 003A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003A3A97,?,?,003A2E7F,?,?,?,00000000), ref: 003A3AC2

Part of subcall function 0040E199: GetFileAttributesW.KERNEL32(?,0040CF95), ref: 0040E19A

FindFirstFileW.KERNEL32(?,?), ref: 0040D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0040D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0040D481
FindClose.KERNEL32(00000000), ref: 0040D498
FindClose.KERNEL32(00000000), ref: 0040D4A1

Strings

\*.*, xrefs: 0040D3F2

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: bd1a0e5f84d896e10acf4c7ba76313b1caa5543094ef42631ad5ac9bfc9511d0
Instruction ID: da72de2c748c477e0c9e925c1f69bbc5f8ac086a08ec35a060ef6071f2d68522
Opcode Fuzzy Hash: bd1a0e5f84d896e10acf4c7ba76313b1caa5543094ef42631ad5ac9bfc9511d0
Instruction Fuzzy Hash: 7A317E314083459BC301EFA4D8959AFB7A8EE92304F444A6EF4D1A71D1EB38AA0DC767

Function 003DE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 003DE645

Strings

1#IND, xrefs: 003DF83D
1#QNAN, xrefs: 003DF84B
1#INF, xrefs: 003DF852
1#SNAN, xrefs: 003DF844

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2fcf7052390c90ef9d420c3ab8d9c8394bce70f50ed7fa523e7653bfaa64b82d
Instruction ID: 1db8a0b1f48807a38497f4ceaf1ef63e4e7fc6bec93bd32b8e621f25dc2bc5e4
Opcode Fuzzy Hash: 2fcf7052390c90ef9d420c3ab8d9c8394bce70f50ed7fa523e7653bfaa64b82d
Instruction Fuzzy Hash: 1EC22C72E046288FDB26DF28AD807EAB7B5EB45305F1541EBD44EE7241E774AE818F40

Function 0041648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004164DC
CoInitialize.OLE32(00000000), ref: 00416639
CoCreateInstance.OLE32(0043FCF8,00000000,00000001,0043FB68,?), ref: 00416650
CoUninitialize.OLE32 ref: 004168D4

Strings

.lnk, xrefs: 004164BA, 00416524, 004165E0

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 1eccf8f596f32c789370ca41ff138d2fb22ac955f7ba285db829e52a06a48a5e
Instruction ID: c3ba921e563c4b4d993aad37dfc27b937d7a75e4e91b20753f994e7c2b6ef36b
Opcode Fuzzy Hash: 1eccf8f596f32c789370ca41ff138d2fb22ac955f7ba285db829e52a06a48a5e
Instruction Fuzzy Hash: 63D14971508201AFC305EF24C881AABB7E9FF99704F14496EF5959B291EB30ED49CB92

Function 004222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004222E8

Part of subcall function 0041E4EC: GetWindowRect.USER32(?,?), ref: 0041E504

GetDesktopWindow.USER32 ref: 00422312
GetWindowRect.USER32(00000000), ref: 00422319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00422355
GetCursorPos.USER32(?), ref: 00422381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004223DF

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: d2175767c3ee434816e1c30719d2eac0e50f6151f90c20cf2519ce0475af4275
Instruction ID: d39e29e9a7865a64589dff42ffa593030b138f35ae4529d5449e42caf06324e8
Opcode Fuzzy Hash: d2175767c3ee434816e1c30719d2eac0e50f6151f90c20cf2519ce0475af4275
Instruction Fuzzy Hash: E5310472204325AFC720DF25D845F5BB7A9FF84314F40092EF984A7181DB78EA08CB9A

Function 00419B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00419B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00419C8B

Part of subcall function 00413874: GetInputState.USER32 ref: 004138CB
Part of subcall function 00413874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00413966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00419BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00419C75

Strings

*.*, xrefs: 00419B5D

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 8d5e7fd7af0568083aabb8bc5267fc4f2c2483fcc0b34c1c95f3d4bb296e4c86
Instruction ID: 54c2285f5d0e5152c4dbc0988ea8d30de45fd5dab4359cc83c537c320b7b4869
Opcode Fuzzy Hash: 8d5e7fd7af0568083aabb8bc5267fc4f2c2483fcc0b34c1c95f3d4bb296e4c86
Instruction Fuzzy Hash: 2B4181719442099FDF15DF64C899AEE7BB8EF05310F204056E805A7291EB34AE84CFA9

Function 003B997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 003B9A4E
GetSysColor.USER32(0000000F), ref: 003B9B23
SetBkColor.GDI32(?,00000000), ref: 003B9B36

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 9932e4df46d5b95a8c38cc0d8c93cd626ff6169ff62c938c904a811d2af3e917
Instruction ID: ee373b039e1895f4e0c48aafa2c0479ef481c5a62c79d8b6c0e5a18101e97ead
Opcode Fuzzy Hash: 9932e4df46d5b95a8c38cc0d8c93cd626ff6169ff62c938c904a811d2af3e917
Instruction Fuzzy Hash: C7A119B0118408BEE727AA3D8C99FFB375DDB46348F16411BF702D6E91CA259D41C27A

Function 00421806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0042304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0042307A
Part of subcall function 0042304E: _wcslen.LIBCMT ref: 0042309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0042185D
WSAGetLastError.WSOCK32 ref: 00421884
bind.WSOCK32(00000000,?,00000010), ref: 004218DB
WSAGetLastError.WSOCK32 ref: 004218E6
closesocket.WSOCK32(00000000), ref: 00421915

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c68fd091b79990d54b535961a9945d72b42de1347a355ac7a39e8e96e4329f21
Instruction ID: 65fd9b701299be2746b83cfae09dcce5348033c112b3d4c27c932c995d42616d
Opcode Fuzzy Hash: c68fd091b79990d54b535961a9945d72b42de1347a355ac7a39e8e96e4329f21
Instruction Fuzzy Hash: 8351D071A00210AFDB11AF24D8C6F6A77E5EB45718F488098F90AAF3D3C775AD41CBA1

Function 00431C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00431CC0
IsWindowEnabled.USER32 ref: 00431CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00431CDB
IsIconic.USER32 ref: 00431CE9
IsZoomed.USER32 ref: 00431CF7

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e9d5fc89dd394ec18da00d2100d9d8fff8833712633c7576591b7ea246bbd1af
Instruction ID: 4ab3fb5c91b9bcf15cbe98d2d37133e8ec890d42f97290a7b8e854599a6080b0
Opcode Fuzzy Hash: e9d5fc89dd394ec18da00d2100d9d8fff8833712633c7576591b7ea246bbd1af
Instruction Fuzzy Hash: 9521D3317402105FD7208F2AC894B6B7BA5EF99314F18B06AE8469B361C779EC42CB98

Function 003A8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 003A83E8
VUUU, xrefs: 003E5DF0
VUUU, xrefs: 003A83FA
VUUU, xrefs: 003A843C
ERCP, xrefs: 003A813C

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 6b58b62f72d5925f9dc375dc3220ba919d7c0bbcbeaf5c145911717212e3d50c
Instruction ID: ee2246bb697eececc659918afe6625bb7820b3f86faf827f95dd40a42dfe5191
Opcode Fuzzy Hash: 6b58b62f72d5925f9dc375dc3220ba919d7c0bbcbeaf5c145911717212e3d50c
Instruction Fuzzy Hash: 5CA2C074E0026ACBDF26CF59C8417AEB7B1FF55314F2586AAD815AB281DB309D81CF90

Function 00408298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004082AA

Strings

tbF, xrefs: 004084F4
(, xrefs: 004082F0
|, xrefs: 004082DA

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbF$|
API String ID: 1659193697-3157441505
Opcode ID: f8591082df0246dbb9a784cf4bc914b4b4e67be673a35538b3eb378b23073db7
Instruction ID: 3a75237bf32bee3143b5bb679d6cfee69dfd95389e056670d16b33ddf99f2ead
Opcode Fuzzy Hash: f8591082df0246dbb9a784cf4bc914b4b4e67be673a35538b3eb378b23073db7
Instruction Fuzzy Hash: 3D324675A007059FCB28CF19C581A6AB7F0FF48710B15C56EE89AEB3A1EB74E941CB44

Function 0040AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0040AAAC
SetKeyboardState.USER32(00000080), ref: 0040AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0040AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0040AB88

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3f58a1e2db42f1ab3c90b0e0ae49014221bdf043d678201bae318e48300638ae
Instruction ID: fc4c9ad4e131d413d5b23a31b1d3d6d795f7270f93baa6b3524bff9251df9f29
Opcode Fuzzy Hash: 3f58a1e2db42f1ab3c90b0e0ae49014221bdf043d678201bae318e48300638ae
Instruction Fuzzy Hash: 2B31F731A40318AEEB358A658C05BFB77B6AB44310F04423BE681762D1D37CA9A1C75B

Function 003DBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003DBB7F

Part of subcall function 003D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000), ref: 003D29DE
Part of subcall function 003D29C8: GetLastError.KERNEL32(00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000,00000000), ref: 003D29F0

GetTimeZoneInformation.KERNEL32 ref: 003DBB91
WideCharToMultiByte.KERNEL32(00000000,?,0047121C,000000FF,?,0000003F,?,?), ref: 003DBC09
WideCharToMultiByte.KERNEL32(00000000,?,00471270,000000FF,?,0000003F,?,?,?,0047121C,000000FF,?,0000003F,?,?), ref: 003DBC36

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: c23d438c54ab95608387f6b2658e7d138e15bd1777e8d9795b398ff8b197297b
Instruction ID: e1f076296905963a7340a8f19d28d47ef56f47df3ef190d33bfd9236f2c86ded
Opcode Fuzzy Hash: c23d438c54ab95608387f6b2658e7d138e15bd1777e8d9795b398ff8b197297b
Instruction Fuzzy Hash: 7F31CE72904205DFCB12DFA8EC81969FBB8FF4535071686ABE055EB3B2DB309A40DB54

Function 0041CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0041CE89
GetLastError.KERNEL32(?,00000000), ref: 0041CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0041CEFE

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 4a200db879f07668673c1dd92fb1c7942a1ddb1966c5c9a6797c1455f2a72e0d
Instruction ID: 70954de8b8cc4f4caa1a8f2d05b6817109070bfe3d4fbdb28f6e0968edfe947c
Opcode Fuzzy Hash: 4a200db879f07668673c1dd92fb1c7942a1ddb1966c5c9a6797c1455f2a72e0d
Instruction Fuzzy Hash: 4F21B0715403059BD720CFA5CD88BA7B7F9EB10314F10442EE646E2291E778ED858B98

Function 00415C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00415CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00415D17
FindClose.KERNEL32(?), ref: 00415D5F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 33cb94a4aff3127b95a98004ee32f83e05beab0ace5ef57302dc7b7ba24e229c
Instruction ID: 22fd3320884c32280a8b1e51d44de0c9175f94337252ef22ac89411864e761bc
Opcode Fuzzy Hash: 33cb94a4aff3127b95a98004ee32f83e05beab0ace5ef57302dc7b7ba24e229c
Instruction Fuzzy Hash: 9B519834604A01DFC714CF28D494E9AB7E4FF8A314F14855EE95A8B3A1DB34EC84CB95

Function 003D2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 003D271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003D2724
UnhandledExceptionFilter.KERNEL32(?), ref: 003D2731

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3e0b647593a18b3aaace2b90bdd8a27bca52f2c526321390cfa375fa011b5fe5
Instruction ID: 7820ebc325dd26672f300ed1c51a48112f3f6c814142fe7ff24f28d858245c37
Opcode Fuzzy Hash: 3e0b647593a18b3aaace2b90bdd8a27bca52f2c526321390cfa375fa011b5fe5
Instruction Fuzzy Hash: 4A31D67590121CABCB22DF64DC88BDDBBB8AF18310F5041EAE81CA7261E7749F818F45

Function 004151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00415238
SetErrorMode.KERNEL32(00000000), ref: 004152A1

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: ab767d3a5bf5d539d72efe894843bfbd1e3ea82334ecc8a780a0049e40dec6b5
Instruction ID: 2719d56def59562e5dff69ebc45cc7017e7dd4c47bfc846858ecd8bc97879502
Opcode Fuzzy Hash: ab767d3a5bf5d539d72efe894843bfbd1e3ea82334ecc8a780a0049e40dec6b5
Instruction Fuzzy Hash: 6F312B75A00518DFDB00DF54D884EEEBBB4FF49314F0480A9E805AB3A6DB35E856CB95

Function 004016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 003BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 003C0668
Part of subcall function 003BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 003C0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0040170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0040173A
GetLastError.KERNEL32 ref: 0040174A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c46f6e80e754d038bf37a34bcb7f5c2acb6f52c358fc59ea8f77b33b41e27417
Instruction ID: 6974e35fbef95f7bd6488f761376cd1a9c92ec2233eb1ce5084a0cd3304b4ec9
Opcode Fuzzy Hash: c46f6e80e754d038bf37a34bcb7f5c2acb6f52c358fc59ea8f77b33b41e27417
Instruction Fuzzy Hash: 5211CEB2400304AFD718AF54DCC6DABB7B9EF04714B20853EE05667691EB70FC418B64

Function 0040D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0040D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0040D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0040D650

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 04fdd1f5130f6192019af271d07badb581b39392ced3234ddc490a0b3252ec87
Instruction ID: 602079b124829ff88f9b74f01d49f36b1b4ae3a5c613a79179bd396927973851
Opcode Fuzzy Hash: 04fdd1f5130f6192019af271d07badb581b39392ced3234ddc490a0b3252ec87
Instruction Fuzzy Hash: 50118E71E01228BFDB108FA4DC84FAFBBBCEB45B50F108122F904F7290C2704A058BA5

Function 00401663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004016A1
FreeSid.ADVAPI32(?), ref: 004016B1

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 73758008f9ead1b959b06be7f0c3c1ba8971b023536adcb7acdc4544e6e47489
Instruction ID: aaf99b6a2f7dc129f30e4d7b5df4d2a0be71e4f034eb1058c09443602597cfe9
Opcode Fuzzy Hash: 73758008f9ead1b959b06be7f0c3c1ba8971b023536adcb7acdc4544e6e47489
Instruction Fuzzy Hash: F0F0F47195030DFBEB00DFE49D89EAEBBBCEB08704F504965E501E2191E774AA448B54

Function 003FD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 003FD28C

Strings

X64, xrefs: 003FD2A8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: d521f3f651e86be2f304063ede713788b0c2b1b229c6659d60a74157a997f67f
Instruction ID: 84038648d0f70af2fe7dc27296ee543f106f22e4b240c6aa90ad5950d55a1f3c
Opcode Fuzzy Hash: d521f3f651e86be2f304063ede713788b0c2b1b229c6659d60a74157a997f67f
Instruction Fuzzy Hash: E7D0C9B480111DEACB95DB90DCC8DD9B37CBB04305F100551F206A2400D73096488F10

Function 003CCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 9c5526b9912cef1696adc5716f9210d6d263525494a3476db60e2899466bb095
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 40021B71E102199BDF15CFA9C880BADBBF1EF48314F25816DD819EB284D731AE418B94

Function 003ACAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 003F0C40
p#G, xrefs: 003ACF7F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#G
API String ID: 0-3110822686
Opcode ID: aee5a28600e2b572ba27429e9d937dbe1aa02d1d54b81f9a574da46ff5d7cbeb
Instruction ID: b124b24b0439dd6fa8ee7fef9875fe3d6107bd40da00541470cbf4b223b4de7c
Opcode Fuzzy Hash: aee5a28600e2b572ba27429e9d937dbe1aa02d1d54b81f9a574da46ff5d7cbeb
Instruction Fuzzy Hash: 9B328A70910218DFCF1ADF94C980AFDB7B9FF16308F155069E906AB292DB35AE45CB60

Function 004168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00416918
FindClose.KERNEL32(00000000), ref: 00416961

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d8ba2fc08f3bdc44515decd529d557839f9e8016ee6805176cb2733dbd945ff2
Instruction ID: c1df7ea1cda221bf6cfbf8d6f0f0b993772bfa05c5333edbf438b9fabee8ef8c
Opcode Fuzzy Hash: d8ba2fc08f3bdc44515decd529d557839f9e8016ee6805176cb2733dbd945ff2
Instruction Fuzzy Hash: C01190716142109FC710DF29D8C4A16BBE5FF85328F15C6AAE8698F3A2C734EC45CB91

Function 004137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00424891,?,?,00000035,?), ref: 004137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00424891,?,?,00000035,?), ref: 004137F4

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 19838e5fba7b0ed25f3aa833f4817c1aea050b776e527d413edaf2032e7ea51f
Instruction ID: 55d5ec79e85924426135494f012bd44f71198cdb85ea1a3583760157626fd38e
Opcode Fuzzy Hash: 19838e5fba7b0ed25f3aa833f4817c1aea050b776e527d413edaf2032e7ea51f
Instruction Fuzzy Hash: 24F0E5B17043282AEB2017668C8DFEB7AAEEFC5761F000276F509E22C1D9609D44C7F4

Function 0040B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0040B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0040B270

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: b7e04bf2af70ab7ba2c1eb1fb6e3b8601d063883d74d3fc151d1356d796b0d95
Instruction ID: 6d2640dfe2c8c22cdfa08d62de5c17694f1e4cf9eaff764db9f479d6d762b36b
Opcode Fuzzy Hash: b7e04bf2af70ab7ba2c1eb1fb6e3b8601d063883d74d3fc151d1356d796b0d95
Instruction Fuzzy Hash: 66F01D7180424EABDB059FA0C805BAE7BB4FF04305F00905AF955A5191C37986119F98

Function 004010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004011FC), ref: 004010D4
CloseHandle.KERNEL32(?,?,004011FC), ref: 004010E9

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: cf5c55cf7b851c4dda2116dc87b9263ed096026f1b5d352fba22f0bf9cbd8c86
Instruction ID: 494a5cd773078fe08dfd91eaff69d5f538b3204f3212650216e2b8e52fdb1335
Opcode Fuzzy Hash: cf5c55cf7b851c4dda2116dc87b9263ed096026f1b5d352fba22f0bf9cbd8c86
Instruction Fuzzy Hash: 99E04F32004600AEF7262B51FC45EB777E9EB04310B10883EF5A5948B1DB62ACA0DB54

Function 003D676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,003D6766,?,?,00000008,?,?,003DFEFE,00000000), ref: 003D6998

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ba33c10db4195f122deed959d716b4d1fac6b4ae63e48644b00ba91a51e80b61
Instruction ID: d0f82c6bd0ed12b33f86c719bdd55543a83b521f51fa0bb4739cd88f728351e3
Opcode Fuzzy Hash: ba33c10db4195f122deed959d716b4d1fac6b4ae63e48644b00ba91a51e80b61
Instruction Fuzzy Hash: 07B16A726106089FD716CF28D48AB657BE0FF05364F268659E8E9CF3A2C335E991CB40

Function 003BB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 003F851F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d75f68391125548e3f7dd0dac20c11871402cf831155f029987352b0479c7d31
Instruction ID: 70db6802c05fce9811c1b1398502dffc9771652c724d30b0138a85d3fae8a39c
Opcode Fuzzy Hash: d75f68391125548e3f7dd0dac20c11871402cf831155f029987352b0479c7d31
Instruction Fuzzy Hash: 6E128E759002299BCB25CF59C8806FEB7F5FF48314F1181AAE949EB651DB709E81CB90

Function 0041EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0041EABD

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 7c8e03ed70d659783aec06bfc90fbee347185dacccfd9e818133b72978211471
Instruction ID: 12bc0acd2683a115f3ec451f19d4354801ec82b46d3674561472afb0cd5cc51b
Opcode Fuzzy Hash: 7c8e03ed70d659783aec06bfc90fbee347185dacccfd9e818133b72978211471
Instruction Fuzzy Hash: CAE04F362102049FC710EF6AD845E9AF7E9EF997A0F008426FC4ADB351DB74E8818B95

Function 003C09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003C03EE), ref: 003C09DA

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 724a0d43c3af1816ad008803304e3a3c7e9becc89565def6e9cffce7c561de35
Instruction ID: 2c867a437f2a76a79ff73985c7ce40d1de0ec66dc0114ba89500637cc7d9e5e8
Opcode Fuzzy Hash: 724a0d43c3af1816ad008803304e3a3c7e9becc89565def6e9cffce7c561de35
Instruction Fuzzy Hash:

Function 003C781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 003C798B

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: b218f1ab0ad8bcd559592fa5d193d61aa7b11ee508c6a4171f32017fddc9f7e7
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 7551677260C7055BDB3B8628885FFFE23999B12340F19050DEE82DB682CB25DE01DF52

Function 00412046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&G, xrefs: 00412053

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: 0&G
API String ID: 0-4031540117
Opcode ID: f0312f83777b8827bee208c098701a97501fbb0fc948a1a949b35813f6eeb205
Instruction ID: f7d9230036af97c699186706f21b0ff2253b68bd5961388f236941a222787120
Opcode Fuzzy Hash: f0312f83777b8827bee208c098701a97501fbb0fc948a1a949b35813f6eeb205
Instruction Fuzzy Hash: F421D5322206118BD728CF79C9226BE77E5A754310F14862EE4A7C33D1DE79A944CB84

Function 003D6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700a360fa95299656c58a21cade99b88c33707ce5b0b6d41d1bc41682b4abd50
Instruction ID: 26ff57600fa727aa49bfef8cd638bd8e190c3fc5f0ab23f06021c6183862108a
Opcode Fuzzy Hash: 700a360fa95299656c58a21cade99b88c33707ce5b0b6d41d1bc41682b4abd50
Instruction Fuzzy Hash: 4F324426D29F014DD7239634ED22336A249AFB73C5F65D737F81AB5EA6EB29C4834100

Function 003BCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3dfee300456beb7bed9a4332b38c4f96d92fcdb15b6f35d04c7bbbfb5309b63
Instruction ID: c7b4b2d6d03abb457fde96d3328e5de4e104be77785279f8306db499991ec9c1
Opcode Fuzzy Hash: a3dfee300456beb7bed9a4332b38c4f96d92fcdb15b6f35d04c7bbbfb5309b63
Instruction Fuzzy Hash: CD325C31AA414D8BDF36CF28C6906BD7BA1EB45304F2AB526D749CBA91D330DD82DB41

Function 003A7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac557f7fde877f5a3cdcbccd81aff0f4e88f2577803ac31c884fb1b9c86a6e1
Instruction ID: cb773064745de5f427e220b8227f887b278b74c045e2c49f13d74e9115a13bc9
Opcode Fuzzy Hash: aac557f7fde877f5a3cdcbccd81aff0f4e88f2577803ac31c884fb1b9c86a6e1
Instruction Fuzzy Hash: FF22C0B0A00619DFDF16CFA5C881AEEB3F5FF45304F104629E816AB691EB35AD11CB60

Function 003A91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbd1a0a8867d064b600031f5eb4e79ac4254e250ae806a3d0b6a40abadaf1d2
Instruction ID: 45851c844561b087fdda5a484007a257b4200ff8562dd7938cae290d1ac75eda
Opcode Fuzzy Hash: 3dbd1a0a8867d064b600031f5eb4e79ac4254e250ae806a3d0b6a40abadaf1d2
Instruction Fuzzy Hash: F802C6B0A00159EFCB06DF65D881BAEB7B5FF44304F118169E816AB2D1EB31EE50CB95

Function 003D9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e0a79ac9d3637cfe14d72dee6182b6a8f6f02f9499d7c034e12d4ec17a15c7
Instruction ID: b8e0a3be3a4bc3aead8356075848507eee48be311cb52de8dac9012999bd1a78
Opcode Fuzzy Hash: 92e0a79ac9d3637cfe14d72dee6182b6a8f6f02f9499d7c034e12d4ec17a15c7
Instruction Fuzzy Hash: B4B11525D2AF404DD3239B398831336B65CAFBB6D6F51D72BFC1674D62EB2286834140

Function 003C1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 37919dee721987f3d32121d16f8ce6b8bc1fe56b843932d98b09a0fc01219533
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 179166721090A349DB6B46398574A3EFFE15A533A131B079DE4F3CA1C6EE249D64F720

Function 003C1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 2ca3499879c84cff933ee88972686e7adacf0f4c5fe98ab194ef5706137d4bcc
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: F99157722090A349D76B46398574A3FFFE15A923A131F079ED4F2CA5C6EE248D64E720

Function 003C19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5d9bb1d946667d9a61dbea680e80b1cb22e0c0954d5111712396509ff2cd055b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: FD9153762090A349DB2F427A857493DFEE55A933A131A079DD4F2CA1C2FE24CD64BB20

Function 003C7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1147ffb15fc12f8230feef16e56b6d4c7f8a0944c5974519ef050ce9a295e7e
Instruction ID: 30ae730f5d04f048f68a21cb771b2ac16592d6e199de7564fc1c3ce56d430830
Opcode Fuzzy Hash: f1147ffb15fc12f8230feef16e56b6d4c7f8a0944c5974519ef050ce9a295e7e
Instruction Fuzzy Hash: 9161767520874AA6DB3B9A288D96FBE3398DF41710F11091EEC43DF781DA11AE42CF55

Function 003C7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4e1018b2c7210f3ff0a985cebb4e2d4e7fb0ed23a19444807a453a57e8d1b3
Instruction ID: b1fc7ba96e279c6b616232936a56599c3f2c978ade448d108d95defc352fc117
Opcode Fuzzy Hash: 4a4e1018b2c7210f3ff0a985cebb4e2d4e7fb0ed23a19444807a453a57e8d1b3
Instruction Fuzzy Hash: 74617832208709A7DA3B5A38489AFBF2398AF42744F11095EFD43DF681DA12AD42CF55

Function 003C1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 5663be3bd9f88e2bd3ab2f9c98bc92b48242ec1f2cab2ccea248fbc108970663
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D481637250C0A349DB6B42398534A3EFFE15A933A131B079DD4F2CA5C6EE249D54F760

Function 00422ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00422B30
DeleteObject.GDI32(00000000), ref: 00422B43
DestroyWindow.USER32 ref: 00422B52
GetDesktopWindow.USER32 ref: 00422B6D
GetWindowRect.USER32(00000000), ref: 00422B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00422CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00422CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422CF8
GetClientRect.USER32(00000000,?), ref: 00422D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00422D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422D80
GlobalLock.KERNEL32(00000000), ref: 00422D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422D98
GlobalUnlock.KERNEL32(00000000), ref: 00422DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422DA8
GlobalFree.KERNEL32(00000000), ref: 00422DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0043FC38,00000000), ref: 00422DDB
GlobalFree.KERNEL32(00000000), ref: 00422DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00422E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00422E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00422E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0042303F

Strings

DISPLAY, xrefs: 00422EA2
AutoIt v3, xrefs: 00422CF2
, xrefs: 00422FC5
static, xrefs: 00422D3A, 00422E91

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b5313e6e8e37aeb8aa02a6c7d59fe7049da91210a42223a1a67a8c022de61348
Instruction ID: 570f8fa32cc52953413d020d1639ec7377ec6158120d22ef01b786c30398982a
Opcode Fuzzy Hash: b5313e6e8e37aeb8aa02a6c7d59fe7049da91210a42223a1a67a8c022de61348
Instruction Fuzzy Hash: 89029C71A00214AFDB14DF64DD89EAE7BB9EF49310F048169F915AB2A1CB78ED01CF64

Function 004370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0043712F
GetSysColorBrush.USER32(0000000F), ref: 00437160
GetSysColor.USER32(0000000F), ref: 0043716C
SetBkColor.GDI32(?,000000FF), ref: 00437186
SelectObject.GDI32(?,?), ref: 00437195
InflateRect.USER32(?,000000FF,000000FF), ref: 004371C0
GetSysColor.USER32(00000010), ref: 004371C8
CreateSolidBrush.GDI32(00000000), ref: 004371CF
FrameRect.USER32(?,?,00000000), ref: 004371DE
DeleteObject.GDI32(00000000), ref: 004371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00437230
FillRect.USER32(?,?,?), ref: 00437262
GetWindowLongW.USER32(?,000000F0), ref: 00437284

Part of subcall function 004373E8: GetSysColor.USER32(00000012), ref: 00437421
Part of subcall function 004373E8: SetTextColor.GDI32(?,?), ref: 00437425
Part of subcall function 004373E8: GetSysColorBrush.USER32(0000000F), ref: 0043743B
Part of subcall function 004373E8: GetSysColor.USER32(0000000F), ref: 00437446
Part of subcall function 004373E8: GetSysColor.USER32(00000011), ref: 00437463
Part of subcall function 004373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00437471
Part of subcall function 004373E8: SelectObject.GDI32(?,00000000), ref: 00437482
Part of subcall function 004373E8: SetBkColor.GDI32(?,00000000), ref: 0043748B
Part of subcall function 004373E8: SelectObject.GDI32(?,?), ref: 00437498
Part of subcall function 004373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004374B7
Part of subcall function 004373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004374CE
Part of subcall function 004373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004374DB

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 46840300c1956a3c8fc30a0b5211ead650f191d9904cc41b67919df86b2c35c6
Instruction ID: 73b97a787b9e3774cb6656b13be8f958ed25602753792304a981e737e0793dba
Opcode Fuzzy Hash: 46840300c1956a3c8fc30a0b5211ead650f191d9904cc41b67919df86b2c35c6
Instruction Fuzzy Hash: 8AA1A172008311BFDB109F60DC88E5B7BA9FB4C320F102A29F9A2A61E1D775E944DF56

Function 003B8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 003B8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 003F6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 003F6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 003F6F43

Part of subcall function 003B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003B8BE8,?,00000000,?,?,?,?,003B8BBA,00000000,?), ref: 003B8FC5

SendMessageW.USER32(?,00001053), ref: 003F6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 003F6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 003F6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 003F6FB7

Strings

0, xrefs: 003F6DCF

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 95e08483217150fc8d192e8e91cbb0b2173bf7181600127e72fab35027c2db9a
Instruction ID: 26b1747f5e47d455a25f137ca4654dea8088d0f396d939a6e10f03eb09db1be6
Opcode Fuzzy Hash: 95e08483217150fc8d192e8e91cbb0b2173bf7181600127e72fab35027c2db9a
Instruction Fuzzy Hash: 3A12DD70200205EFDB26DF28C985BBAB7F9FB44304F154469F6899B661CB31EC92CB95

Function 00422711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0042273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0042286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00422900
GetClientRect.USER32(00000000,?), ref: 0042290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00422955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00422964
GetStockObject.GDI32(00000011), ref: 00422974
SelectObject.GDI32(00000000,00000000), ref: 00422978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00422988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00422991
DeleteDC.GDI32(00000000), ref: 0042299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00422A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00422A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00422A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00422A77
GetStockObject.GDI32(00000011), ref: 00422A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00422A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00422A97

Strings

DISPLAY, xrefs: 0042295A
msctls_progress32, xrefs: 00422A13
AutoIt v3, xrefs: 004228F8
static, xrefs: 0042294F, 00422A71

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6305d75bef7a8e4654bb0d24b872a95b22270937f41d9fa264c3849f6bddc1a8
Instruction ID: 6547b14760aa2fd886647fffd8a3eb964cb11b3faeb1b270d4b03f4288be70d8
Opcode Fuzzy Hash: 6305d75bef7a8e4654bb0d24b872a95b22270937f41d9fa264c3849f6bddc1a8
Instruction Fuzzy Hash: 21B16D71A00215BFEB14DF68DD8AFAE7BA9EB49710F104115F914EB2A0D774ED40CBA8

Function 00414ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00414AED
GetDriveTypeW.KERNEL32(?,0043CB68,?,\\.\,0043CC08), ref: 00414BCA
SetErrorMode.KERNEL32(00000000,0043CB68,?,\\.\,0043CC08), ref: 00414D36

Strings

\\.\, xrefs: 00414B3F
ATA, xrefs: 00414C98
Virtual, xrefs: 00414CE5
SCSI, xrefs: 00414C8A
Fixed, xrefs: 00414C09
CDROM, xrefs: 00414BFB
SSD, xrefs: 00414C4A
SAS, xrefs: 00414CC9
1394, xrefs: 00414C9F
SSA, xrefs: 00414CA6
Removable, xrefs: 00414C10, 00414C15
Network, xrefs: 00414C02
PhysicalDrive, xrefs: 00414B76
iSCSI, xrefs: 00414CC2
ATAPI, xrefs: 00414C91
RAID, xrefs: 00414CBB
MMC, xrefs: 00414CDE
Unknown, xrefs: 00414BED, 00414C83
FileBackedVirtual, xrefs: 00414CEC
USB, xrefs: 00414CB4
SATA, xrefs: 00414CD0
RAMDisk, xrefs: 00414BF4
Fibre, xrefs: 00414CAD

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a5077808a6ec21e15844dea162e7fca3e075989ca2d29a0592d89b7f959f0636
Instruction ID: 27a26bde5e499795063162d3741b9f7431c46efa8af1ccf5dd9ee3d740b90359
Opcode Fuzzy Hash: a5077808a6ec21e15844dea162e7fca3e075989ca2d29a0592d89b7f959f0636
Instruction Fuzzy Hash: 7F6174306051059BCB04DF24CA81EE977A1EBC5744B268417F806AB691FB3DED82DB9F

Function 004373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00437421
SetTextColor.GDI32(?,?), ref: 00437425
GetSysColorBrush.USER32(0000000F), ref: 0043743B
GetSysColor.USER32(0000000F), ref: 00437446
CreateSolidBrush.GDI32(?), ref: 0043744B
GetSysColor.USER32(00000011), ref: 00437463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00437471
SelectObject.GDI32(?,00000000), ref: 00437482
SetBkColor.GDI32(?,00000000), ref: 0043748B
SelectObject.GDI32(?,?), ref: 00437498
InflateRect.USER32(?,000000FF,000000FF), ref: 004374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0043752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00437554
InflateRect.USER32(?,000000FD,000000FD), ref: 00437572
DrawFocusRect.USER32(?,?), ref: 0043757D
GetSysColor.USER32(00000011), ref: 0043758E
SetTextColor.GDI32(?,00000000), ref: 00437596
DrawTextW.USER32(?,004370F5,000000FF,?,00000000), ref: 004375A8
SelectObject.GDI32(?,?), ref: 004375BF
DeleteObject.GDI32(?), ref: 004375CA
SelectObject.GDI32(?,?), ref: 004375D0
DeleteObject.GDI32(?), ref: 004375D5
SetTextColor.GDI32(?,?), ref: 004375DB
SetBkColor.GDI32(?,?), ref: 004375E5

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 2e7ddcbcc2f1d8a9da06d7da6f912b78f55362280364227cc1aadadfa4bf6b59
Instruction ID: 70b55e85c15d9023df85635d524df9330b01819178e74f219a3acfa30e2e576e
Opcode Fuzzy Hash: 2e7ddcbcc2f1d8a9da06d7da6f912b78f55362280364227cc1aadadfa4bf6b59
Instruction Fuzzy Hash: EF616E72900218BFDF119FA4DC89AEE7FB9EB08320F105125F911BB2A1D775A940DF94

Function 00430FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00431128
GetDesktopWindow.USER32 ref: 0043113D
GetWindowRect.USER32(00000000), ref: 00431144
GetWindowLongW.USER32(?,000000F0), ref: 00431199
DestroyWindow.USER32(?), ref: 004311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0043120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0043121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00431232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00431245
IsWindowVisible.USER32(00000000), ref: 004312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004312D0
GetWindowRect.USER32(00000000,?), ref: 004312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0043130E
GetMonitorInfoW.USER32(00000000,?), ref: 00431328
CopyRect.USER32(?,?), ref: 0043133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004313AA

Strings

0, xrefs: 004310D3
(, xrefs: 0043131B
tooltips_class32, xrefs: 004311E6

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 507450c9ed3f16e3493632d74f01336fb4410e10b19e3254107eb7e0cc563121
Instruction ID: 8a8fa354b51dcc0f9c18a5d1fbefd035e534e4832be9a421f0a3820b506f19bc
Opcode Fuzzy Hash: 507450c9ed3f16e3493632d74f01336fb4410e10b19e3254107eb7e0cc563121
Instruction Fuzzy Hash: B8B19C71608341AFDB04DF64C885B6BBBE4FF89350F00991DF999AB2A1C735E844CB96

Function 003B8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003B8968
GetSystemMetrics.USER32(00000007), ref: 003B8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003B899B
GetSystemMetrics.USER32(00000008), ref: 003B89A3
GetSystemMetrics.USER32(00000004), ref: 003B89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003B89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003B89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 003B8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 003B8A3C
GetClientRect.USER32(00000000,000000FF), ref: 003B8A5A
GetStockObject.GDI32(00000011), ref: 003B8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 003B8A81

Part of subcall function 003B912D: GetCursorPos.USER32(?), ref: 003B9141
Part of subcall function 003B912D: ScreenToClient.USER32(00000000,?), ref: 003B915E
Part of subcall function 003B912D: GetAsyncKeyState.USER32(00000001), ref: 003B9183
Part of subcall function 003B912D: GetAsyncKeyState.USER32(00000002), ref: 003B919D

SetTimer.USER32(00000000,00000000,00000028,003B90FC), ref: 003B8AA8

Strings

AutoIt v3 GUI, xrefs: 003B8A20

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9ea54e014e30255c7444243be36bdc24592c4c6749e959367338f361028b5410
Instruction ID: d2f71bc5c793fcc831c823deb813f2aa950e5ab0fa3c9ef0226be9644c0f73e6
Opcode Fuzzy Hash: 9ea54e014e30255c7444243be36bdc24592c4c6749e959367338f361028b5410
Instruction Fuzzy Hash: E1B15D75A00209AFDF15DF68CC86BEE3BB5FB48314F114129FA15AB2A0DB74A841CB55

Function 00400D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00401114
Part of subcall function 004010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 00401120
Part of subcall function 004010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 0040112F
Part of subcall function 004010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 00401136
Part of subcall function 004010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0040114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00400DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00400E29
GetLengthSid.ADVAPI32(?), ref: 00400E40
GetAce.ADVAPI32(?,00000000,?), ref: 00400E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00400E96
GetLengthSid.ADVAPI32(?), ref: 00400EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00400EB5
HeapAlloc.KERNEL32(00000000), ref: 00400EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00400EDD
CopySid.ADVAPI32(00000000), ref: 00400EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00400F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00400F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00400F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00400F6E
HeapFree.KERNEL32(00000000), ref: 00400F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00400F7E
HeapFree.KERNEL32(00000000), ref: 00400F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00400F8E
HeapFree.KERNEL32(00000000), ref: 00400F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00400FA1
HeapFree.KERNEL32(00000000), ref: 00400FA8

Part of subcall function 00401193: GetProcessHeap.KERNEL32(00000008,00400BB1,?,00000000,?,00400BB1,?), ref: 004011A1
Part of subcall function 00401193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00400BB1,?), ref: 004011A8
Part of subcall function 00401193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00400BB1,?), ref: 004011B7

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ce6c344cee8ddb86a5513b4e28e4fe06f43caa7e9a218fe57af9693c310a0c41
Instruction ID: dd0a1e508c23a7d2474bb5077e230ad4152927ba5489f96d53c4d6a61e2dc2cf
Opcode Fuzzy Hash: ce6c344cee8ddb86a5513b4e28e4fe06f43caa7e9a218fe57af9693c310a0c41
Instruction Fuzzy Hash: C8716D7290020AABDF209FA4DC84FAFBBB8BF05301F144126FA59F6291D775D905DB68

Function 0042C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0043CC08,00000000,?,00000000,?,?), ref: 0042C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0042C5A4
_wcslen.LIBCMT ref: 0042C5F4
_wcslen.LIBCMT ref: 0042C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0042C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0042C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0042C84D
RegCloseKey.ADVAPI32(?), ref: 0042C881
RegCloseKey.ADVAPI32(00000000), ref: 0042C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0042C960

Strings

REG_MULTI_SZ, xrefs: 0042C6F5
REG_QWORD, xrefs: 0042C8C3
REG_SZ, xrefs: 0042C644
REG_BINARY, xrefs: 0042C913
REG_EXPAND_SZ, xrefs: 0042C5CD
REG_DWORD, xrefs: 0042C804

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 36a42fc5c0d7c2c16f1c8620c90b40d92250bd2edf7f1de215402a1418ca8bfe
Instruction ID: 28cd4e3ea004749fb82f442ea47d1d9482c65f6340ad00c7e484540e4e1272fe
Opcode Fuzzy Hash: 36a42fc5c0d7c2c16f1c8620c90b40d92250bd2edf7f1de215402a1418ca8bfe
Instruction Fuzzy Hash: 931287356042119FCB15EF24D891B2AB7E5EF89714F04889DF88A9B3A2DB35FC41CB85

Function 0043091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004309C6
_wcslen.LIBCMT ref: 00430A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00430A54
_wcslen.LIBCMT ref: 00430A8A
_wcslen.LIBCMT ref: 00430B06
_wcslen.LIBCMT ref: 00430B81

Part of subcall function 003BF9F2: _wcslen.LIBCMT ref: 003BF9FD

Part of subcall function 00402BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00402BFA

Strings

GETTEXT, xrefs: 00430C97
EXISTS, xrefs: 00430B7C, 00430B97
CHECK, xrefs: 00430A85, 00430AA0
SELECT, xrefs: 00430D11
EXPAND, xrefs: 00430BF8
GETSELECTED, xrefs: 00430C4E
GETTOTALCOUNT, xrefs: 004309F2, 00430A17
GETITEMCOUNT, xrefs: 00430C1E
ISCHECKED, xrefs: 00430CE1
COLLAPSE, xrefs: 00430B01, 00430B1C
UNCHECK, xrefs: 00430D3E

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 57499b0f3b27fc7f66f35d79db8d28b1b4bda38904890c11bbbf65a1a3e9d67f
Instruction ID: 263d93099b8d3a42d813662fb68471d7bfcafea370af319c8e7e2b02efd9bc7a
Opcode Fuzzy Hash: 57499b0f3b27fc7f66f35d79db8d28b1b4bda38904890c11bbbf65a1a3e9d67f
Instruction Fuzzy Hash: B3E1A1312083018FC714EF24C46092AB7E1FF99718F149A5EF8969B7A2D739ED45CB86

Function 0042C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0042B6AE,?,?), ref: 0042C9B5
_wcslen.LIBCMT ref: 0042C9F1
_wcslen.LIBCMT ref: 0042CA68
_wcslen.LIBCMT ref: 0042CA9E
_wcslen.LIBCMT ref: 0042CAF9
_wcslen.LIBCMT ref: 0042CB2F
_wcslen.LIBCMT ref: 0042CB7F

Strings

HKLM, xrefs: 0042CA98, 0042CA9D
HKEY_LOCAL_MACHINE, xrefs: 0042CA62, 0042CA67
HKU, xrefs: 0042CBF0
HKCC, xrefs: 0042CBAC
HKEY_CURRENT_CONFIG, xrefs: 0042CB79, 0042CB7E
HKEY_USERS, xrefs: 0042CBDF
HKCU, xrefs: 0042CBCE
HKEY_CLASSES_ROOT, xrefs: 0042CAF3, 0042CAF8
HKCR, xrefs: 0042CB29, 0042CB2E
HKEY_CURRENT_USER, xrefs: 0042CBBD

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 5baeb96049dbf875457d30bcf9e91693623b6ba2edc6dfc3506fe1a822369fb7
Instruction ID: dd4e5e3c099794cabb27f4f462497e8fbec1c15b5c683f210f618263fa216bd3
Opcode Fuzzy Hash: 5baeb96049dbf875457d30bcf9e91693623b6ba2edc6dfc3506fe1a822369fb7
Instruction Fuzzy Hash: 9871053270013A8BCB20DE7CED916BF37919F61794B90412AF8569B384EB39DD45C399

Function 0043833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0043835A
_wcslen.LIBCMT ref: 0043836E
_wcslen.LIBCMT ref: 00438391
_wcslen.LIBCMT ref: 004383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0043361A,?), ref: 0043844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00438487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00438501
FreeLibrary.KERNEL32(?), ref: 0043850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043851D
DestroyIcon.USER32(?), ref: 0043852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00438549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00438555

Strings

.icl, xrefs: 00438368
.exe, xrefs: 00438388
.dll, xrefs: 004383AB

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 5464856b4346a6d1a23352f3abd9617c737f0e8bd84e5263f8ec38f5395a5c2b
Instruction ID: 04515a5146d3f21d361865ece0c7c2a817e8cd3837f9c84b5d6c15e86604a465
Opcode Fuzzy Hash: 5464856b4346a6d1a23352f3abd9617c737f0e8bd84e5263f8ec38f5395a5c2b
Instruction Fuzzy Hash: E261E171500315BAEB15DF64CC81BBFB7A8FB08720F10561AF815EA1D1EB78A980CBA4

Function 003A7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 003E5279
#cs, xrefs: 003A7873, 003A78C5
Bad directive syntax error, xrefs: 003E519A
#include-once, xrefs: 003A782F
#OnAutoItStartRegister, xrefs: 003A7817
Unterminated group of comments, xrefs: 003E528C
#comments-start, xrefs: 003A785F, 003A78B1
', xrefs: 003E5169
#requireadmin, xrefs: 003A77FF
", xrefs: 003E5153
#pragma compile, xrefs: 003A77D3
#ce, xrefs: 003A78ED
#include, xrefs: 003A7847
#notrayicon, xrefs: 003A77E7
#comments-end, xrefs: 003A78D9

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: bf2f7c652d9a9d3a199360e443088b5f398cc10e67e86fbe614dff8fa4d4f139
Instruction ID: 9805b55113d55f9ae1182b78360cecd8aac9daec7a67dc68b0c93d91ee8f3807
Opcode Fuzzy Hash: bf2f7c652d9a9d3a199360e443088b5f398cc10e67e86fbe614dff8fa4d4f139
Instruction Fuzzy Hash: 9581F171A04215BBDB23AF61DC82FBE37A8EF16304F154029F905AE192EB75DE01D7A1

Function 00413E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00413EF8
_wcslen.LIBCMT ref: 00413F03
_wcslen.LIBCMT ref: 00413F5A
_wcslen.LIBCMT ref: 00413F98
GetDriveTypeW.KERNEL32(?), ref: 00413FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0041401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00414059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00414087

Strings

close cd wait, xrefs: 00414072
type cdaudio alias cd wait, xrefs: 00414001
set cd door , xrefs: 00414028
closed, xrefs: 00413F08, 00413F2D, 00413F46, 00413F7E, 00413F97
open, xrefs: 00413F54, 00413F59
open , xrefs: 00413FE5
close, xrefs: 00413EFE, 00413F18
wait, xrefs: 00414044

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 49e01b416526c097ee65034b1385281a5e191f405a57aad57cf7ca4b82b0654b
Instruction ID: f4a9208b4600bcf7957abc96617150db42e835d332e6dcd5bdd888d98fd855cb
Opcode Fuzzy Hash: 49e01b416526c097ee65034b1385281a5e191f405a57aad57cf7ca4b82b0654b
Instruction Fuzzy Hash: 6C7115316042119FC310EF24C8819ABB7F4EF99758F10492EF89597351EB35ED86CB96

Function 00405A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00405A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00405A40
SetWindowTextW.USER32(?,?), ref: 00405A57
GetDlgItem.USER32(?,000003EA), ref: 00405A6C
SetWindowTextW.USER32(00000000,?), ref: 00405A72
GetDlgItem.USER32(?,000003E9), ref: 00405A82
SetWindowTextW.USER32(00000000,?), ref: 00405A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00405AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00405AC3
GetWindowRect.USER32(?,?), ref: 00405ACC
_wcslen.LIBCMT ref: 00405B33
SetWindowTextW.USER32(?,?), ref: 00405B6F
GetDesktopWindow.USER32 ref: 00405B75
GetWindowRect.USER32(00000000), ref: 00405B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00405BD3
GetClientRect.USER32(?,?), ref: 00405BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00405C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00405C2F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: dc94136b55825fa4163c01537e1ec71627c9e6904d63494c3794a838301d6686
Instruction ID: 2836f82b77445654b065d36630555853903e0d36a60bafca8f819de0c7248e62
Opcode Fuzzy Hash: dc94136b55825fa4163c01537e1ec71627c9e6904d63494c3794a838301d6686
Instruction Fuzzy Hash: D1714C31900B09AFDB20DFA9CE85A6FBBF5FB48704F104529E542B26A0D779B944CF58

Function 0041FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0041FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0041FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0041FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0041FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0041FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0041FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0041FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0041FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0041FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0041FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0041FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0041FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0041FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0041FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0041FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0041FECC
GetCursorInfo.USER32(?), ref: 0041FEDC
GetLastError.KERNEL32 ref: 0041FF1E

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 670ae13885d2ff0f1ca2121c9f9fee13741d37ca91047ab0f04426dbe185d8ba
Instruction ID: 8c0eaf06f9077e316a6fa108da494f50590f7490de16917148c6a7bc3c809eba
Opcode Fuzzy Hash: 670ae13885d2ff0f1ca2121c9f9fee13741d37ca91047ab0f04426dbe185d8ba
Instruction Fuzzy Hash: 504163B0D043196ADB10DFBA8C8585EBFE8FF04754B50452AE119EB281DB78A942CF95

Function 004030F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040318D
_wcslen.LIBCMT ref: 004031F8

Strings

INSTANCE, xrefs: 00403453
CLASSNN, xrefs: 004031F3, 00403204
[F, xrefs: 0040339A
NAME, xrefs: 00403335, 00403346
REGEXPCLASS, xrefs: 00403255, 00403266
CLASS, xrefs: 00403188, 004031A5
TEXT, xrefs: 0040347C

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[F
API String ID: 176396367-2139206619
Opcode ID: b5812c98201a5594b3a03d46be8da5a5e456e5f4c6194f3f4fa32d65eca988e8
Instruction ID: b4f885da0b6117f4063ac6b230e009735e04f753bf91a2b04c0a1de8331008b3
Opcode Fuzzy Hash: b5812c98201a5594b3a03d46be8da5a5e456e5f4c6194f3f4fa32d65eca988e8
Instruction Fuzzy Hash: 55E1F532A00516ABCB15DF64C891BEEBFB8BF44711F54813BE456FB280DB38AE458794

Function 003C00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003C00C6

Part of subcall function 003C00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0047070C,00000FA0,20FD7C4B,?,?,?,?,003E23B3,000000FF), ref: 003C011C
Part of subcall function 003C00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003E23B3,000000FF), ref: 003C0127
Part of subcall function 003C00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003E23B3,000000FF), ref: 003C0138
Part of subcall function 003C00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 003C014E
Part of subcall function 003C00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 003C015C
Part of subcall function 003C00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 003C016A
Part of subcall function 003C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003C0195
Part of subcall function 003C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003C01A0

___scrt_fastfail.LIBCMT ref: 003C00E7

Part of subcall function 003C00A3: __onexit.LIBCMT ref: 003C00A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 003C0122
kernel32.dll, xrefs: 003C0133
WakeAllConditionVariable, xrefs: 003C0162
SleepConditionVariableCS, xrefs: 003C0154
InitializeConditionVariable, xrefs: 003C0148

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 90112b0a496bbd9de9745924785ea2d8b2e2a1b60042f881dfb24ad3d0482068
Instruction ID: 6589ce5b5830f2819eeb48da78dd29387e49362104baa5a45ac1436b7894be1a
Opcode Fuzzy Hash: 90112b0a496bbd9de9745924785ea2d8b2e2a1b60042f881dfb24ad3d0482068
Instruction Fuzzy Hash: C0218136A05350EFD71A5BB4AC49F6AB394DB04B61F15013EF805F7691DB749C008F98

Function 004144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0043CC08), ref: 00414527
_wcslen.LIBCMT ref: 0041453B
_wcslen.LIBCMT ref: 00414599
_wcslen.LIBCMT ref: 004145F4
_wcslen.LIBCMT ref: 0041463F
_wcslen.LIBCMT ref: 004146A7

Part of subcall function 003BF9F2: _wcslen.LIBCMT ref: 003BF9FD

GetDriveTypeW.KERNEL32(?,00466BF0,00000061), ref: 00414743

Strings

all, xrefs: 00414531, 00414536
network, xrefs: 0041469D, 004146A2
cdrom, xrefs: 0041458F, 00414594
fixed, xrefs: 00414635, 0041463A
unknown, xrefs: 00414708
ramdisk, xrefs: 004146F1
removable, xrefs: 004145EA, 004145EF

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 6bd0e5827c1b6a20defc71d2ca102351cc282c5c8e9be2297ee57a9b16a7b609
Instruction ID: 8a7da634dbdd40d52a2cdc7ec30872954714d44af2a38248aedd49aaafe8bbd4
Opcode Fuzzy Hash: 6bd0e5827c1b6a20defc71d2ca102351cc282c5c8e9be2297ee57a9b16a7b609
Instruction Fuzzy Hash: 3AB1F1316083129FC710DF28C890AABB7E5EFE6724F50491EF596C7291D738D885CB96

Function 0043911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

DragQueryPoint.SHELL32(?,?), ref: 00439147

Part of subcall function 00437674: ClientToScreen.USER32(?,?), ref: 0043769A
Part of subcall function 00437674: GetWindowRect.USER32(?,?), ref: 00437710
Part of subcall function 00437674: PtInRect.USER32(?,?,00438B89), ref: 00437720

SendMessageW.USER32(?,000000B0,?,?), ref: 004391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00439225
SendMessageW.USER32(?,000000B0,?,?), ref: 0043923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00439255
SendMessageW.USER32(?,000000B1,?,?), ref: 00439277
DragFinish.SHELL32(?), ref: 0043927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00439371

Strings

@GUI_DROPID, xrefs: 0043929E
@GUI_DRAGID, xrefs: 004392E9
@GUI_DRAGFILE, xrefs: 00439320
p#G, xrefs: 004392BB

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#G
API String ID: 221274066-2565994606
Opcode ID: ea41551ddacd03f5fc10966068c0152e6c01ef2876382606e17f81cefc36dffa
Instruction ID: 96e61e0b5b3fd3eccad2aed57530c1a54cbe71c100d3cf87002984a6cc936ffe
Opcode Fuzzy Hash: ea41551ddacd03f5fc10966068c0152e6c01ef2876382606e17f81cefc36dffa
Instruction Fuzzy Hash: D6618C71108300AFD701EF64DC85EAFBBE8EF89750F00192EF595A72A0DB749A49CB56

Function 00423FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0043CC08), ref: 004240BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 004240CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0043CC08), ref: 004240F2
FreeLibrary.KERNEL32(00000000,?,0043CC08), ref: 0042413E
StringFromGUID2.OLE32(?,?,00000028,?,0043CC08), ref: 004241A8
SysFreeString.OLEAUT32(00000009), ref: 00424262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 004242C8
SysFreeString.OLEAUT32(?), ref: 004242F2

Strings

kernel32.dll, xrefs: 004240B6
GetModuleHandleExW, xrefs: 004240C7

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 6c448fbff4567f6c858991aba9925e980271e5d961a6fe51062241ebe2bdfcec
Instruction ID: 75b742ee18b648a297d825c6cdc6b8839c99ae9bde9397648bc7959e74e91d51
Opcode Fuzzy Hash: 6c448fbff4567f6c858991aba9925e980271e5d961a6fe51062241ebe2bdfcec
Instruction Fuzzy Hash: 58126C71A00124EFDB14DF94D884EAEB7B5FF85318F648099F905AB251C735EE82CBA4

Function 003A326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00471990), ref: 003E2F8D
GetMenuItemCount.USER32(00471990), ref: 003E303D
GetCursorPos.USER32(?), ref: 003E3081
SetForegroundWindow.USER32(00000000), ref: 003E308A
TrackPopupMenuEx.USER32(00471990,00000000,?,00000000,00000000,00000000), ref: 003E309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003E30A9

Strings

0, xrefs: 003A327D

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5f4fd25c0e19427bf0973f91f16a7294b2e40b3e23012e9b18bac5e93f8d5f55
Instruction ID: f0021a7dad6a7b2246b50c64e0d903dc21c9d5104045d685c28edc05eb566a88
Opcode Fuzzy Hash: 5f4fd25c0e19427bf0973f91f16a7294b2e40b3e23012e9b18bac5e93f8d5f55
Instruction Fuzzy Hash: 5E711631644265BEFB229F26CC89FAABF68FF05324F204316F5156A1E0C7B1AD50CB94

Function 00436CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00436DEB

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00436E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00436E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00436E94
DestroyWindow.USER32(?), ref: 00436EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,003A0000,00000000), ref: 00436EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00436EFD
GetDesktopWindow.USER32 ref: 00436F16
GetWindowRect.USER32(00000000), ref: 00436F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00436F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00436F4D

Part of subcall function 003B9944: GetWindowLongW.USER32(?,000000EB), ref: 003B9952

Strings

0, xrefs: 00436D98
tooltips_class32, xrefs: 00436E58, 00436EDD

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: aafaaed627caf18b407a10f9884adb2e41e523258b6312bf753d100cbb3b05a7
Instruction ID: cb71e67071419594582a7825185350777e827cc7f7e1176d22a6214debfb3506
Opcode Fuzzy Hash: aafaaed627caf18b407a10f9884adb2e41e523258b6312bf753d100cbb3b05a7
Instruction Fuzzy Hash: 70717AB4104241AFDB21CF18D845BABBBE9FB89304F14542EFA9997260C774A946CF29

Function 0041C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0041C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0041C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0041C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0041C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0041C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0041C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0041C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0041C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0041C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0041C5F0
InternetCloseHandle.WININET(00000000), ref: 0041C5FB

Strings

, xrefs: 0041C575

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: cb4d714424c103d1c4ca76244ffdfb5312f5d4f0fd5ccce956d5a23621cdf0ba
Instruction ID: 6791a0c74ee515c7c0fb20cef3b29f7f9596d5719c84520882225d89b82afcea
Opcode Fuzzy Hash: cb4d714424c103d1c4ca76244ffdfb5312f5d4f0fd5ccce956d5a23621cdf0ba
Instruction Fuzzy Hash: F2515CB1540205BFDB218F61CDC8ABB7BBDFB08754F00442AF94596250DB38E9849B69

Function 0043856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00438592
GetFileSize.KERNEL32(00000000,00000000), ref: 004385A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 004385AD
CloseHandle.KERNEL32(00000000), ref: 004385BA
GlobalLock.KERNEL32(00000000), ref: 004385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004385D7
GlobalUnlock.KERNEL32(00000000), ref: 004385E0
CloseHandle.KERNEL32(00000000), ref: 004385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 004385F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0043FC38,?), ref: 00438611
GlobalFree.KERNEL32(00000000), ref: 00438621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00438641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00438671
DeleteObject.GDI32(00000000), ref: 00438699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004386AF

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c5767d1c443a3c1ef1a5ede648b97c7d5981e3c03fd72f2c7e6e774d85ad41dc
Instruction ID: c3a257f48d76e4db6c5561f406dfc74bb236600e91580d2de8d630d4facead73
Opcode Fuzzy Hash: c5767d1c443a3c1ef1a5ede648b97c7d5981e3c03fd72f2c7e6e774d85ad41dc
Instruction Fuzzy Hash: 09411975600208BFDB119FA5CC89EABBBB8FF89711F109069F905E7260DB349901DB68

Function 004114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00411502
VariantCopy.OLEAUT32(?,?), ref: 0041150B
VariantClear.OLEAUT32(?), ref: 00411517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00411657
VariantInit.OLEAUT32(?), ref: 00411708
SysFreeString.OLEAUT32(?), ref: 0041178C
VariantClear.OLEAUT32(?), ref: 004117D8
VariantClear.OLEAUT32(?), ref: 004117E7
VariantInit.OLEAUT32(00000000), ref: 00411823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00411625
Default, xrefs: 004116AF

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: d1c687d37780c45a751b3319487b34c446c24a8b2602f02024dabda1ed445a12
Instruction ID: d95a5ef5e4365d6b433fba8efdbd0df15647efab2054d4bd200e233575fa9746
Opcode Fuzzy Hash: d1c687d37780c45a751b3319487b34c446c24a8b2602f02024dabda1ed445a12
Instruction Fuzzy Hash: 30D10031A00515EBDB009F64D884BFAB7B6BF45700F50805BE646AB6A0DB38DC81DB6A

Function 0042B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 0042C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0042B6AE,?,?), ref: 0042C9B5
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042C9F1
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA68
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0042B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0042B80A
RegCloseKey.ADVAPI32(?), ref: 0042B87E
RegCloseKey.ADVAPI32(?), ref: 0042B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0042B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0042B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0042B922
FreeLibrary.KERNEL32(00000000), ref: 0042B983
RegCloseKey.ADVAPI32(00000000), ref: 0042B994

Strings

RegDeleteKeyExW, xrefs: 0042B8FE
advapi32.dll, xrefs: 0042B8ED

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 185b36a5c6eac1843c223fb5346e31e1063dde6b1697659ecc47852a5c072d37
Instruction ID: 9b78f770c9a065e63c6b528641616d36d8c2a662ac010487c2c975fd0b41b9a4
Opcode Fuzzy Hash: 185b36a5c6eac1843c223fb5346e31e1063dde6b1697659ecc47852a5c072d37
Instruction Fuzzy Hash: AEC19B34204211AFD715DF14D495F2ABBE5FF85308F54849DE4AA8B3A2CB39EC46CB86

Function 0042255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004225E8
CreateCompatibleDC.GDI32(?), ref: 004225F4
SelectObject.GDI32(00000000,?), ref: 00422601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0042266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004226D0
SelectObject.GDI32(?,?), ref: 004226D8
DeleteObject.GDI32(?), ref: 004226E1
DeleteDC.GDI32(?), ref: 004226E8
ReleaseDC.USER32(00000000,?), ref: 004226F3

Strings

(, xrefs: 0042268D

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 669916094195a1255ddf79670f782d8db67051116a48143b6775dc957b30d639
Instruction ID: a610a1e6fc4c62303778391155af3b4410c4b2f8ca1bfbd7c25da7f62649df79
Opcode Fuzzy Hash: 669916094195a1255ddf79670f782d8db67051116a48143b6775dc957b30d639
Instruction Fuzzy Hash: 96611376E00219EFCF14CFA4D984AAEBBB5FF48310F20842AE955A7250D374A941CFA4

Function 003DDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 003DDAA1

Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD659
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD66B
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD67D
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD68F
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD6A1
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD6B3
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD6C5
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD6D7
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD6E9
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD6FB
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD70D
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD71F
Part of subcall function 003DD63C: _free.LIBCMT ref: 003DD731

_free.LIBCMT ref: 003DDA96

Part of subcall function 003D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000), ref: 003D29DE
Part of subcall function 003D29C8: GetLastError.KERNEL32(00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000,00000000), ref: 003D29F0

_free.LIBCMT ref: 003DDAB8
_free.LIBCMT ref: 003DDACD
_free.LIBCMT ref: 003DDAD8
_free.LIBCMT ref: 003DDAFA
_free.LIBCMT ref: 003DDB0D
_free.LIBCMT ref: 003DDB1B
_free.LIBCMT ref: 003DDB26
_free.LIBCMT ref: 003DDB5E
_free.LIBCMT ref: 003DDB65
_free.LIBCMT ref: 003DDB82
_free.LIBCMT ref: 003DDB9A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d1a8a17c117902ccb9d36eb53222d9071be21bb2064c0305a9c22b702a507209
Instruction ID: f70859866067eb71e8d257646cf248ea4a88fbefc414250ddf34f999b3483661
Opcode Fuzzy Hash: d1a8a17c117902ccb9d36eb53222d9071be21bb2064c0305a9c22b702a507209
Instruction Fuzzy Hash: 523127336046059FEB23AA39F845B6A77E9BB11314F16841BF459DB391EB31AC509B20

Function 0040365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0040369C
_wcslen.LIBCMT ref: 004036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00403797
GetClassNameW.USER32(?,?,00000400), ref: 0040380C
GetDlgCtrlID.USER32(?), ref: 0040385D
GetWindowRect.USER32(?,?), ref: 00403882
GetParent.USER32(?), ref: 004038A0
ScreenToClient.USER32(00000000), ref: 004038A7
GetClassNameW.USER32(?,?,00000100), ref: 00403921
GetWindowTextW.USER32(?,?,00000400), ref: 0040395D

Strings

%s%u, xrefs: 00403734

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 7d132f093711efa666cc23125c26cbbb64a70e35e271c7a92f86ca170a643371
Instruction ID: fcd2eb23dd793ce094932065df43bbb7e29e527e00ea6b656471ff3102144e0e
Opcode Fuzzy Hash: 7d132f093711efa666cc23125c26cbbb64a70e35e271c7a92f86ca170a643371
Instruction Fuzzy Hash: B791B271204606AFD715DF24C885FAABBACFF44311F00853AF999E2290DB38AA45CB95

Function 00404954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00404994
GetWindowTextW.USER32(?,?,00000400), ref: 004049DA
_wcslen.LIBCMT ref: 004049EB
CharUpperBuffW.USER32(?,00000000), ref: 004049F7
_wcsstr.LIBVCRUNTIME ref: 00404A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00404A64
GetWindowTextW.USER32(?,?,00000400), ref: 00404A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00404AE6
GetClassNameW.USER32(?,?,00000400), ref: 00404B20
GetWindowRect.USER32(?,?), ref: 00404B8B

Strings

ThumbnailClass, xrefs: 00404A6F, 00404AF1

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 68aaa4d791bbc9be6d5c29ba81f5c428b0f26e9997ebc42c67f6ba429bca580a
Instruction ID: edc2c711f9593472e22426604dabc1d3a5dbcc8bc9d669e6d8e44d02687bd4af
Opcode Fuzzy Hash: 68aaa4d791bbc9be6d5c29ba81f5c428b0f26e9997ebc42c67f6ba429bca580a
Instruction Fuzzy Hash: 1591BFB11082059BDB04DF14C985FAB77E8EF84314F04847AFE85AA2D6DB38ED45CBA5

Function 0040BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00471990,000000FF,00000000,00000030), ref: 0040BFAC
SetMenuItemInfoW.USER32(00471990,00000004,00000000,00000030), ref: 0040BFE1
Sleep.KERNEL32(000001F4), ref: 0040BFF3
GetMenuItemCount.USER32(?), ref: 0040C039
GetMenuItemID.USER32(?,00000000), ref: 0040C056
GetMenuItemID.USER32(?,-00000001), ref: 0040C082
GetMenuItemID.USER32(?,?), ref: 0040C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0040C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0040C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0040C145

Strings

0, xrefs: 0040BF3D

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: ba58cd1dba4fa80ef9fdf50816483208d452d43a19c1de773d486eafdc4a65fb
Instruction ID: a5deb5c6676b9e404151aecfe9ff6659a70e8b9662162a3071517544b74a8592
Opcode Fuzzy Hash: ba58cd1dba4fa80ef9fdf50816483208d452d43a19c1de773d486eafdc4a65fb
Instruction Fuzzy Hash: 5F617070900256EFDF11CF64CDC8AAF7BA9EB05344F10426AE851B72D1C739AD45CB69

Function 0042CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0042CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0042CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0042CD48

Part of subcall function 0042CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0042CCAA
Part of subcall function 0042CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0042CCBD
Part of subcall function 0042CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0042CCCF
Part of subcall function 0042CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0042CD05
Part of subcall function 0042CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0042CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0042CCF3

Strings

RegDeleteKeyExW, xrefs: 0042CCC9
advapi32.dll, xrefs: 0042CCB8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: ed41dd44a551a5e32bd3ad9c009024017579a642967e73e733b31ed715413671
Instruction ID: 3de11a0a80c1ba161ccd2b37d1e287f863130df146706dade34e65187ef8ce40
Opcode Fuzzy Hash: ed41dd44a551a5e32bd3ad9c009024017579a642967e73e733b31ed715413671
Instruction Fuzzy Hash: A3318075A01128BBDB209BA1ECC8EFFBB7CEF05750F000166A905E3240D6789E45DBA8

Function 00413D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00413D40
_wcslen.LIBCMT ref: 00413D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00413D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00413DBE
RemoveDirectoryW.KERNEL32(?), ref: 00413DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00413E55
CloseHandle.KERNEL32(00000000), ref: 00413E60
CloseHandle.KERNEL32(00000000), ref: 00413E6B

Strings

:, xrefs: 00413D82
\, xrefs: 00413D77
\??\%s, xrefs: 00413D5B

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: decde630599e6d16043ece01bff69a25e4dc4c52c12ecc9133dbbbdbb8cfab3f
Instruction ID: 8bcb868f02e4550c3237c0a21393cd92a57e759b972973f6a02923b305808633
Opcode Fuzzy Hash: decde630599e6d16043ece01bff69a25e4dc4c52c12ecc9133dbbbdbb8cfab3f
Instruction Fuzzy Hash: 8431A672900219ABDB219FA0DC89FEF37BDEF88701F1041B6F509E6190E77497848B68

Function 0040E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0040E6B4

Part of subcall function 003BE551: timeGetTime.WINMM(?,?,0040E6D4), ref: 003BE555

Sleep.KERNEL32(0000000A), ref: 0040E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0040E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0040E727
SetActiveWindow.USER32 ref: 0040E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0040E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040E773
Sleep.KERNEL32(000000FA), ref: 0040E77E
IsWindow.USER32 ref: 0040E78A
EndDialog.USER32(00000000), ref: 0040E79B

Strings

BUTTON, xrefs: 0040E719

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5f7500b68968bba32c6c64cfd5211943b33b0229897d4f788d1c6327bd2f2e96
Instruction ID: af0ce38dcf9990f5bd6680aaecee24974ba3d6416d1017e4bba82811041a9ce8
Opcode Fuzzy Hash: 5f7500b68968bba32c6c64cfd5211943b33b0229897d4f788d1c6327bd2f2e96
Instruction Fuzzy Hash: DE21A474200200AFEB006F26EDC9A263B69F754349F641837F91AB22F1DBB99C509B1C

Function 0040E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0040EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0040EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0040EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0040EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0040EAA7

Strings

close PlayMe, xrefs: 0040EA6E, 0040EA9B
play PlayMe wait, xrefs: 0040EA91
play PlayMe, xrefs: 0040EAA2
status PlayMe mode, xrefs: 0040EA58
open , xrefs: 0040EA0C
alias PlayMe, xrefs: 0040EA36

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7f4d75f8e166d8128b6b693def4787abe8384f55d59b1c26c8fcf0f8e75e788c
Instruction ID: da10adef6cbff220bdf3091305d73c81e39a54a030b20782dfb436bec1732408
Opcode Fuzzy Hash: 7f4d75f8e166d8128b6b693def4787abe8384f55d59b1c26c8fcf0f8e75e788c
Instruction Fuzzy Hash: 4111A771B5021979D710A762DC4AEFF6A7CEBD2B00F14083B7801B60D0EFB40919C9B5

Function 00405CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00405CE2
GetWindowRect.USER32(00000000,?), ref: 00405CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00405D59
GetDlgItem.USER32(?,00000002), ref: 00405D69
GetWindowRect.USER32(00000000,?), ref: 00405D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00405DCF
GetDlgItem.USER32(?,000003E9), ref: 00405DDD
GetWindowRect.USER32(00000000,?), ref: 00405DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00405E31
GetDlgItem.USER32(?,000003EA), ref: 00405E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00405E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00405E67

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 13ace6e1a6b15096f57f166ff1881416f0d2daa08bfdab1fbda7e262a3c8f5f3
Instruction ID: 2be87b58101cf934be9d5ec05496e16c5a1b58d4f0f39f4f2da63dac3b2b5e1a
Opcode Fuzzy Hash: 13ace6e1a6b15096f57f166ff1881416f0d2daa08bfdab1fbda7e262a3c8f5f3
Instruction Fuzzy Hash: 71510CB1A00615AFDB18CFA8DD89AAEBBB5EF48310F148139F915F6290D7749E00CF54

Function 003B8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 003B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003B8BE8,?,00000000,?,?,?,?,003B8BBA,00000000,?), ref: 003B8FC5

DestroyWindow.USER32(?), ref: 003B8C81
KillTimer.USER32(00000000,?,?,?,?,003B8BBA,00000000,?), ref: 003B8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 003F6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,003B8BBA,00000000,?), ref: 003F69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,003B8BBA,00000000,?), ref: 003F69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,003B8BBA,00000000), ref: 003F69D4
DeleteObject.GDI32(00000000), ref: 003F69E6

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e8e5eadb0459c72ca0392a16a9b1105847083d38f826a6e873f534bab4bbae7f
Instruction ID: 7083e9088151983b7ea48545704c144088d6a236c493dc6fa427a7d39991c1c0
Opcode Fuzzy Hash: e8e5eadb0459c72ca0392a16a9b1105847083d38f826a6e873f534bab4bbae7f
Instruction Fuzzy Hash: 6C61CBB1102605DFCB269F18C949BB6BBF9FB4031AF15442DE2469AD70CB71A881DF98

Function 003B9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 003B9944: GetWindowLongW.USER32(?,000000EB), ref: 003B9952

GetSysColor.USER32(0000000F), ref: 003B9862

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: cea24e61f7e2803ed4f20842ff7217eb014307495e10d435cc04c27752e42ba4
Instruction ID: 59885ae78aa508b36f87dad7bc35b1c0067239a1a313ec6cd5d171003c7948e0
Opcode Fuzzy Hash: cea24e61f7e2803ed4f20842ff7217eb014307495e10d435cc04c27752e42ba4
Instruction Fuzzy Hash: 44418131104654AFDF225F389C88BF93BB5AB06334F254616FBA69B5E1D7319C42DB10

Function 003D8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.<, xrefs: 003D903A, 003D8FD0, 003D8FF2

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: .<
API String ID: 0-2261328457
Opcode ID: 0c0e066797d80318ba9dfc608e2cf0f01af1ffb603c9f61f28e32967befb345b
Instruction ID: 0802b572b18964438e24d3ce3ebda42b9ba9df9504e31d71cc1c2ba039e4e132
Opcode Fuzzy Hash: 0c0e066797d80318ba9dfc608e2cf0f01af1ffb603c9f61f28e32967befb345b
Instruction Fuzzy Hash: 0BC1D376A04249AFDB13DFA8F841BADBBB5BF09310F15409BF418AB392C7709941CB61

Function 004096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,003EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00409717
LoadStringW.USER32(00000000,?,003EF7F8,00000001), ref: 00409720

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,003EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00409742
LoadStringW.USER32(00000000,?,003EF7F8,00000001), ref: 00409745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00409866

Strings

Line %d:, xrefs: 004097A0
^ ERROR, xrefs: 004097FB
Line %d (File "%s"):, xrefs: 0040978F
Error: , xrefs: 0040981D
%s (%d) : ==> %s: %s %s, xrefs: 0040984A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 11f631f6fb0859ffb0335d7c125b5a2d74e72057f6b7ddf20ade8150f38492ff
Instruction ID: 55669efb921fe5f498efc755527c48322de471a1c25236d87306e2ec92fe900d
Opcode Fuzzy Hash: 11f631f6fb0859ffb0335d7c125b5a2d74e72057f6b7ddf20ade8150f38492ff
Instruction Fuzzy Hash: FA415E72900219AACF06FBE1CD86EEE7778EF15340F104066F50576092EB396F49CB65

Function 004006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00400804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0040082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00400837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0040083C

Strings

\CLSID, xrefs: 00400724
\IPC$, xrefs: 00400784
SOFTWARE\Classes\, xrefs: 0040070E

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 673009e13b0560d28d859f5668a7b32d3005b0cd0abc4474a231b5c80ec94aba
Instruction ID: 5f1bf343b23e293e2317fe30e332fcff3f0adf2f94a7f9c7d1ad1417ccd573b9
Opcode Fuzzy Hash: 673009e13b0560d28d859f5668a7b32d3005b0cd0abc4474a231b5c80ec94aba
Instruction Fuzzy Hash: EF41F876C10229ABDF16EFA4DC959EEB778FF04350F14416AE901B71A1EB349E04CBA0

Function 00423C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00423C5C
CoInitialize.OLE32(00000000), ref: 00423C8A
CoUninitialize.OLE32 ref: 00423C94
_wcslen.LIBCMT ref: 00423D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00423DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00423ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00423F0E
CoGetObject.OLE32(?,00000000,0043FB98,?), ref: 00423F2D
SetErrorMode.KERNEL32(00000000), ref: 00423F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00423FC4
VariantClear.OLEAUT32(?), ref: 00423FD8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 04428d68703df1ee80bdd62f8a6de7efa0301550fe9781ebf806688c713d3d39
Instruction ID: 1eca5fa2d7f2687796508f5444b463c44704e4a5ca1fee784b05aee40c02fbc1
Opcode Fuzzy Hash: 04428d68703df1ee80bdd62f8a6de7efa0301550fe9781ebf806688c713d3d39
Instruction Fuzzy Hash: C1C143716082119FC700DF28D88492BB7F9FF89749F40492EF98A9B211D738EE06CB56

Function 00417A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00417AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00417B8F
SHGetDesktopFolder.SHELL32(?), ref: 00417BA3
CoCreateInstance.OLE32(0043FD08,00000000,00000001,00466E6C,?), ref: 00417BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00417C74
CoTaskMemFree.OLE32(?,?), ref: 00417CCC
SHBrowseForFolderW.SHELL32(?), ref: 00417D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00417D7A
CoTaskMemFree.OLE32(00000000), ref: 00417D81
CoTaskMemFree.OLE32(00000000), ref: 00417DD6
CoUninitialize.OLE32 ref: 00417DDC

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 6defc4395dc50a756d1e95638ac608b94d8b7cb2af755cde09c617c8aceb1f74
Instruction ID: dbc5db3e986008b02a30c3a8be11093ae13527d45e112268186321955cb03983
Opcode Fuzzy Hash: 6defc4395dc50a756d1e95638ac608b94d8b7cb2af755cde09c617c8aceb1f74
Instruction Fuzzy Hash: A8C12B75A04109AFCB14DF64C884DAEBBF9FF49304B1484A9E916AB361D734EE81CB94

Function 0043541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00435504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00435515
CharNextW.USER32(00000158), ref: 00435544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00435585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0043559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004355AC

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 3620b3a48c4fb185aafd928d9d3b7e825ce0fe0154e3bc267baae4161509046a
Instruction ID: 7722237046d400825e3090a6a6f5514e16f146a12a728404a93000532ea8236f
Opcode Fuzzy Hash: 3620b3a48c4fb185aafd928d9d3b7e825ce0fe0154e3bc267baae4161509046a
Instruction Fuzzy Hash: C161ADB1900608BBDF10DF54CC85AFF3BB9EF0D320F106156F925AA290D7789A81DB69

Function 003FFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003FFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 003FFB08
VariantInit.OLEAUT32(?), ref: 003FFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 003FFB3A
VariantCopy.OLEAUT32(?,?), ref: 003FFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 003FFBA1
VariantClear.OLEAUT32(?), ref: 003FFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 003FFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003FFBCC
VariantClear.OLEAUT32(?), ref: 003FFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003FFBE9

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0fd6f51258f8e232135793e05a70ab89de3a85ec77a8b977244f748273e688f7
Instruction ID: 675e5c4f564e6a21de6241250522695c58cfcd1cf9be9a01c17d8eed20a3d1bd
Opcode Fuzzy Hash: 0fd6f51258f8e232135793e05a70ab89de3a85ec77a8b977244f748273e688f7
Instruction Fuzzy Hash: C2415F35A002199FCF05DFA8D8949BEBBB9EF18344F008079E915AB261CB34ED45CF90

Function 00409C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00409CA1
GetAsyncKeyState.USER32(000000A0), ref: 00409D22
GetKeyState.USER32(000000A0), ref: 00409D3D
GetAsyncKeyState.USER32(000000A1), ref: 00409D57
GetKeyState.USER32(000000A1), ref: 00409D6C
GetAsyncKeyState.USER32(00000011), ref: 00409D84
GetKeyState.USER32(00000011), ref: 00409D96
GetAsyncKeyState.USER32(00000012), ref: 00409DAE
GetKeyState.USER32(00000012), ref: 00409DC0
GetAsyncKeyState.USER32(0000005B), ref: 00409DD8
GetKeyState.USER32(0000005B), ref: 00409DEA

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 064892c78ce1381130a5e74d9446ee06768147a98b488f2c9e926e66be8d9290
Instruction ID: bdc5a8c402e34a795823b8b0e05b921e638237799105216bba14aab1c9a246c7
Opcode Fuzzy Hash: 064892c78ce1381130a5e74d9446ee06768147a98b488f2c9e926e66be8d9290
Instruction Fuzzy Hash: 8E4195349487CA69FF31966084443A7BEA06F51344F08807BDAC6767C3D7BD9DC4879A

Function 0042055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004205BC
inet_addr.WSOCK32(?), ref: 0042061C
gethostbyname.WSOCK32(?), ref: 00420628
IcmpCreateFile.IPHLPAPI ref: 00420636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004207B9
WSACleanup.WSOCK32 ref: 004207BF

Strings

Ping, xrefs: 00420676

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 918e65bb26203fc489a4b54612b04bbe597e7ce50553581aa396b8de4c8e5f20
Instruction ID: df559fb28d0f3d04a21437edd660dc934c47a2efadf238e0b7191df5beb3c8c8
Opcode Fuzzy Hash: 918e65bb26203fc489a4b54612b04bbe597e7ce50553581aa396b8de4c8e5f20
Instruction Fuzzy Hash: C3919B35604211AFD720DF15D888F1ABBE0EF85318F5485AAE4699B7A3C738ED41CF86

Function 00428CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00428CF3

Part of subcall function 00408E54: _wcslen.LIBCMT ref: 00408E77

_wcslen.LIBCMT ref: 00428D4E
_wcslen.LIBCMT ref: 00428D9C
_wcslen.LIBCMT ref: 00428DDC
_wcslen.LIBCMT ref: 00428E6E

Strings

cdecl, xrefs: 00428D48, 00428D4D
none, xrefs: 00428E65, 00428E6A
winapi, xrefs: 00428D96, 00428D9B
stdcall, xrefs: 00428DD6, 00428DDB

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b39538a8b9bcb5742abd246c046f4af9f8aec1b0f91049710b8072814dae21b9
Instruction ID: 44bf10b4878a644449f116a942a737ce04179e9a65b9e0c224984aeb977767c9
Opcode Fuzzy Hash: b39538a8b9bcb5742abd246c046f4af9f8aec1b0f91049710b8072814dae21b9
Instruction Fuzzy Hash: CB51C132B011269BCB14DF68D9409BEB3A5BF65324BA1422EE426EB3C5DF38DD40C794

Function 0042372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00423774
CoUninitialize.OLE32 ref: 0042377F
CoCreateInstance.OLE32(?,00000000,00000017,0043FB78,?), ref: 004237D9
IIDFromString.OLE32(?,?), ref: 0042384C
VariantInit.OLEAUT32(?), ref: 004238E4
VariantClear.OLEAUT32(?), ref: 00423936

Strings

Failed to create object, xrefs: 004237E4, 0042389A
NULL Pointer assignment, xrefs: 0042381E
Invalid parameter, xrefs: 00423865

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 558332cc939a017b7aef6d83d66cf5f73fb68e81dd13404f9c9247e3bb1ba1dd
Instruction ID: e6012a1cd5728f76efe79131d2ee5a7f81086ecb6fffc02ab8334748b8f034c1
Opcode Fuzzy Hash: 558332cc939a017b7aef6d83d66cf5f73fb68e81dd13404f9c9247e3bb1ba1dd
Instruction Fuzzy Hash: CB61DE70708321AFD311EF14D888B5AB7F4EF89706F50481AF5859B291D778EE48CB9A

Function 00413388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004133CF

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004133F0

Strings

^ ERROR , xrefs: 0041349E
Incorrect parameters to object property !, xrefs: 004134AB
Line %d (File "%s"):, xrefs: 00413443, 0041345C
Error: , xrefs: 004134D1
"%s" (%d) : ==> %s:, xrefs: 00413522
"%s" (%d) : ==> %s:%s%s, xrefs: 00413504

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: baac9557fccb78ea7646a6e13e1aeb702f05f999cd8c1c7dc3b260d959b57470
Instruction ID: 6ada7c641f59ecf679ddbff279dbc50655617171818e0a182992072d5f10b988
Opcode Fuzzy Hash: baac9557fccb78ea7646a6e13e1aeb702f05f999cd8c1c7dc3b260d959b57470
Instruction Fuzzy Hash: 6A51BF31900219BADF16EBE0CD46EEEB778EF05344F204066F405761A2EB392F98CB65

Function 0040B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0040B5FC
_wcslen.LIBCMT ref: 0040B608
_wcslen.LIBCMT ref: 0040B64D
_wcslen.LIBCMT ref: 0040B68C
_wcslen.LIBCMT ref: 0040B6C7

Strings

REMOVE, xrefs: 0040B602, 0040B607
EXISTS, xrefs: 0040B686, 0040B68B
APPEND, xrefs: 0040B6C1, 0040B6C6
KEYS, xrefs: 0040B647, 0040B64C

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: d0028e2769f3d20d01c323f82b1c506ef4f0b201736c3bb005f5aab89b2b5a3b
Instruction ID: 7934b067292c458a468e08e90f06a742dc9b02d0239dec9ee0b054ba857939e0
Opcode Fuzzy Hash: d0028e2769f3d20d01c323f82b1c506ef4f0b201736c3bb005f5aab89b2b5a3b
Instruction Fuzzy Hash: 5841E532A001279ACB105F7D88905BF77A5EBA0754B254A3BE421EB3C0E73ACD81C7D9

Function 00415393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00415416
GetLastError.KERNEL32 ref: 00415420
SetErrorMode.KERNEL32(00000000,READY), ref: 004154A7

Strings

UNKNOWN, xrefs: 00415444
INVALID, xrefs: 00415459
READONLY, xrefs: 00415452
READY, xrefs: 00415460, 00415468
NOTREADY, xrefs: 0041544B

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: b567eb0f0f9fd99c0183a1957472a12fe2404a17fb1f051e8ab03fb6c77059ad
Instruction ID: 4d89bb0425ce0adf094a505938959399a2ffa88f0429c8533da10178c7b874f0
Opcode Fuzzy Hash: b567eb0f0f9fd99c0183a1957472a12fe2404a17fb1f051e8ab03fb6c77059ad
Instruction Fuzzy Hash: D5319A35A00604DFCB11DF68D884BEABBB4EB85305F14806AE405DB392EB79DDC6CB95

Function 00433C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00433C79
SetMenu.USER32(?,00000000), ref: 00433C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00433D10
IsMenu.USER32(?), ref: 00433D24
CreatePopupMenu.USER32 ref: 00433D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00433D5B
DrawMenuBar.USER32 ref: 00433D63

Strings

F, xrefs: 00433D4E
0, xrefs: 00433C54

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: a9a0ac2c96ca606849ee7a12e44f29d677ccdd985748475ae55f5036310069eb
Instruction ID: d6ada5d6a22f6998ca93b78bf6168ba3d9afffce205708789b7c04200763d3f4
Opcode Fuzzy Hash: a9a0ac2c96ca606849ee7a12e44f29d677ccdd985748475ae55f5036310069eb
Instruction Fuzzy Hash: 01414AB9A01209EFDB14CF64D884EEA7BB5FF49351F141029F946A7360D774AA10CF98

Function 00401EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 00403CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00403CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00401F64
GetDlgCtrlID.USER32 ref: 00401F6F
GetParent.USER32 ref: 00401F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00401F8E
GetDlgCtrlID.USER32(?), ref: 00401F97
GetParent.USER32(?), ref: 00401FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00401FAE

Strings

ListBox, xrefs: 00401F21
ComboBox, xrefs: 00401EEC

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: d64c636206531a846266bdb94336ffd23829524f4c7318c5826a4d1ef8f3ebc4
Instruction ID: 888cb2ff503e6d09cea0e5b53c6027103e2e1d1454048744d8a72f0b4cd593c1
Opcode Fuzzy Hash: d64c636206531a846266bdb94336ffd23829524f4c7318c5826a4d1ef8f3ebc4
Instruction Fuzzy Hash: 2E21CF71900214BBCF05AFA0CC85EEEBBB8EF06350F104166F961B72E1DB385908DB68

Function 00401FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 00403CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00403CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00402043
GetDlgCtrlID.USER32 ref: 0040204E
GetParent.USER32 ref: 0040206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0040206D
GetDlgCtrlID.USER32(?), ref: 00402076
GetParent.USER32(?), ref: 0040208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0040208D

Strings

ListBox, xrefs: 00402002
ComboBox, xrefs: 00401FCD

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: d8aa64b55d6183aa1186680026519192e48c1255522898c236f1285b87d19c81
Instruction ID: 6ead20a774eaa732bf3988e95a4ff71419cce7d8f8c98e67bd4b323a9b403f1a
Opcode Fuzzy Hash: d8aa64b55d6183aa1186680026519192e48c1255522898c236f1285b87d19c81
Instruction Fuzzy Hash: BF21D171900214BBDF11AFA0CC89EFEBBB8EF05340F104066FA51B72E1DA795914DB68

Function 00433A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00433A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00433AA0
GetWindowLongW.USER32(?,000000F0), ref: 00433AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00433AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00433B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00433BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00433BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00433BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00433BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00433C13

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 548a153e97e779b950f3ef2f277ec884f0c3075451d54773041163589c9545ff
Instruction ID: d1f1b4e79a1fb6dffce8590996a017a8c6f719a0cc4f2c5b59e39deef2d1d6f8
Opcode Fuzzy Hash: 548a153e97e779b950f3ef2f277ec884f0c3075451d54773041163589c9545ff
Instruction Fuzzy Hash: 82617CB5900248AFDB10DF68CC81EEE77B8EB09700F1051AAFA15A73A2C774AE45DB54

Function 0040B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B165
GetWindowThreadProcessId.USER32(00000000), ref: 0040B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0040B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0040A1E1,?,00000001), ref: 0040B21D

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: c62e38e02ddccd153977d85c9962fb3295f52531bd3b7f9fea663cc15ce34c81
Instruction ID: 13d2362a6080c2ed01788669f9034893ebf28b30a03b860172cf9ac2f0e063dd
Opcode Fuzzy Hash: c62e38e02ddccd153977d85c9962fb3295f52531bd3b7f9fea663cc15ce34c81
Instruction Fuzzy Hash: B4319371540204BFDB109F64DC89B6E7BA9FB61356F10483AF905E63D0D7B899808FAC

Function 003D2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003D2C94

Part of subcall function 003D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000), ref: 003D29DE
Part of subcall function 003D29C8: GetLastError.KERNEL32(00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000,00000000), ref: 003D29F0

_free.LIBCMT ref: 003D2CA0
_free.LIBCMT ref: 003D2CAB
_free.LIBCMT ref: 003D2CB6
_free.LIBCMT ref: 003D2CC1
_free.LIBCMT ref: 003D2CCC
_free.LIBCMT ref: 003D2CD7
_free.LIBCMT ref: 003D2CE2
_free.LIBCMT ref: 003D2CED
_free.LIBCMT ref: 003D2CFB

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ea64cddd3dd496f8e3033c63211423faad9333478f737b8f4b6548da0034d65d
Instruction ID: 45ea39fa0ff8b617b8cdb3acba249ff89d40f3ae2acd4a588b5f1175d8718828
Opcode Fuzzy Hash: ea64cddd3dd496f8e3033c63211423faad9333478f737b8f4b6548da0034d65d
Instruction Fuzzy Hash: D0119676100108AFCB02EF54E852CDE3BA5FF16350F4144A6F9485F322D731EE60AB90

Function 00417DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00417FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00417FC1
GetFileAttributesW.KERNEL32(?), ref: 00417FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00418005
SetCurrentDirectoryW.KERNEL32(?), ref: 00418017
SetCurrentDirectoryW.KERNEL32(?), ref: 00418060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004180B0

Strings

*.*, xrefs: 00418066

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: dacd7adc6c3bbb02124332d33df68ba65ee260dc4b2979210a9872ac6f8234ea
Instruction ID: 7ab184d8286487bb84215e5e24dd9185a61e120d115292d17c48f4bb468b6688
Opcode Fuzzy Hash: dacd7adc6c3bbb02124332d33df68ba65ee260dc4b2979210a9872ac6f8234ea
Instruction Fuzzy Hash: CE8180725083459BCB20EF14C884AABB7E8FF89314F14486FF885DB250EB39DD858B56

Function 003A5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 003A5C7A

Part of subcall function 003A5D0A: GetClientRect.USER32(?,?), ref: 003A5D30
Part of subcall function 003A5D0A: GetWindowRect.USER32(?,?), ref: 003A5D71
Part of subcall function 003A5D0A: ScreenToClient.USER32(?,?), ref: 003A5D99

GetDC.USER32 ref: 003E46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003E4708
SelectObject.GDI32(00000000,00000000), ref: 003E4716
SelectObject.GDI32(00000000,00000000), ref: 003E472B
ReleaseDC.USER32(?,00000000), ref: 003E4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003E47C4

Strings

U, xrefs: 003E4693

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 54eb4d00e690cc6a87a66144c9abdcb070bd131c5b998f53eb9d133f874b860a
Instruction ID: 0f0a3a8104cfa1588fea16557f52f7909139fa97b40f12e03c35bfbcd88188a6
Opcode Fuzzy Hash: 54eb4d00e690cc6a87a66144c9abdcb070bd131c5b998f53eb9d133f874b860a
Instruction Fuzzy Hash: D171F030400255EFCF228F65C984ABA7BB5FF4E325F154369ED656A2AAC3318881DF90

Function 0041359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004135E4

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

LoadStringW.USER32(00472390,?,00000FFF,?), ref: 0041360A

Strings

^ ERROR, xrefs: 004136C9
Line %d (File "%s"):, xrefs: 0041366B
Error: , xrefs: 004136EF
"%s" (%d) : ==> %s:, xrefs: 00413742
"%s" (%d) : ==> %s:%s%s, xrefs: 00413724

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: a79c8f2e47cd38c24afcd68fd7d4debbad9ff83dab99f7d2f4ad30859a5686d8
Instruction ID: edf4452e5fd01d3ce2929dc150d886e47e14abcb9deabf8aaabb8d783e7c0ff4
Opcode Fuzzy Hash: a79c8f2e47cd38c24afcd68fd7d4debbad9ff83dab99f7d2f4ad30859a5686d8
Instruction Fuzzy Hash: 90519F71900219BADF16EFA0CC42EEEBB38EF05341F144126F515761A2EB341B99DFA9

Function 0041C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0041C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0041C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0041C2CA
GetLastError.KERNEL32 ref: 0041C322
SetEvent.KERNEL32(?), ref: 0041C336
InternetCloseHandle.WININET(00000000), ref: 0041C341

Strings

, xrefs: 0041C2BB

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 8806408821ca41e1558cb39915bbb368ad75b8c2c855b58c5c61546cd8aca004
Instruction ID: 07fce0a917f2901ff2977c139ac8c833923c2aecc6e68b3d2704a8f53c798172
Opcode Fuzzy Hash: 8806408821ca41e1558cb39915bbb368ad75b8c2c855b58c5c61546cd8aca004
Instruction Fuzzy Hash: AF31A2B1540208AFD7219F65CCC8AEB7BFCEB49744F10852EF856D2240DB38DD858BA9

Function 0040989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003E3AAF,?,?,Bad directive syntax error,0043CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004098BC
LoadStringW.USER32(00000000,?,003E3AAF,?), ref: 004098C3

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00409987

Strings

Line %d:, xrefs: 00409912
., xrefs: 0040996D
Line %d (File "%s"):, xrefs: 0040992D
%s (%d) : ==> %s.: %s %s, xrefs: 004098F1
Error: , xrefs: 00409955

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b64c9c0833a782f65351718ba0d2b619435566272a97c568bbca0a522756b881
Instruction ID: f5f73dedee925d544187d068f9674e6e5990a5ce9f25d51f5d11ffbd43b67287
Opcode Fuzzy Hash: b64c9c0833a782f65351718ba0d2b619435566272a97c568bbca0a522756b881
Instruction Fuzzy Hash: 4721A032D0021AABCF12AF90CC0AFEE7739FF19304F04446AF5157A0A2EB359A18CB55

Function 0040209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0040214D

Strings

details, xrefs: 004020FB
largeicons, xrefs: 004020E1
SHELLDLL_DefView, xrefs: 004020CC
list, xrefs: 0040212F
smallicons, xrefs: 00402115

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 5acba7149dfc032e685eaf898a52a076a211f5d59503e08e44dd338d83044125
Instruction ID: 3fc56472513419668c1b937f56ec6edc055a7c0ad5a3a85df40ce0caabbb9143
Opcode Fuzzy Hash: 5acba7149dfc032e685eaf898a52a076a211f5d59503e08e44dd338d83044125
Instruction Fuzzy Hash: F611C17A688706B9FA1626209C0BEA7779C9B05724F20013BFA04B91D2FAB97C52561D

Function 003DCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 003DCEB7
_free.LIBCMT ref: 003DCF22
_free.LIBCMT ref: 003DCF48
_free.LIBCMT ref: 003DCF71
_free.LIBCMT ref: 003DCFA9
_free.LIBCMT ref: 003DCFDA
_free.LIBCMT ref: 003DD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 003DD09C
_free.LIBCMT ref: 003DD0B5

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0f326ab5dc8a4b522bb0a92b0b16ddea931e24941b3016e2ce15e3b5081c6ae1
Instruction ID: 13cd215db18a260d9dc6b29b112ecbc9de180c822a5d93cc312c3dd3dfa6dcde
Opcode Fuzzy Hash: 0f326ab5dc8a4b522bb0a92b0b16ddea931e24941b3016e2ce15e3b5081c6ae1
Instruction Fuzzy Hash: 246126B3925302AFDB33AFB4B885AAA7BA9AF05310F05416FF9449B381D7319D41D750

Function 004350D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00435186
ShowWindow.USER32(?,00000000), ref: 004351C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 004351CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 004351D1

Part of subcall function 00436FBA: DeleteObject.GDI32(00000000), ref: 00436FE6

GetWindowLongW.USER32(?,000000F0), ref: 0043520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0043521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0043524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00435287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00435296

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 299a95dd554c7ef41576ae009edf7d33e025ea8b48f4cce2b05cd5fc0ecdc3bf
Instruction ID: 6f307a7c9a59f75f73aa12df3748fbb0da6ef7af6a38b6445a0e20bc2a931358
Opcode Fuzzy Hash: 299a95dd554c7ef41576ae009edf7d33e025ea8b48f4cce2b05cd5fc0ecdc3bf
Instruction Fuzzy Hash: 8B51C230A40A08BFEF209F25CC46BDA3B65FB09325F146453FA149A3E0C779A990DF49

Function 003B8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 003F6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003F68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003F68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003F68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003F68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003B8874,00000000,00000000,00000000,000000FF,00000000), ref: 003F6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003F691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,003B8874,00000000,00000000,00000000,000000FF,00000000), ref: 003F692D

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: adb64b27dccd561d648a5a39fef78758926a52d49ea5bb98478700bc7ade42e4
Instruction ID: 9cfe1cbaa1101e5ac39121194e59976bcf0a39effc0552766eb470b646548a85
Opcode Fuzzy Hash: adb64b27dccd561d648a5a39fef78758926a52d49ea5bb98478700bc7ade42e4
Instruction Fuzzy Hash: 66519FB0600209EFDB21CF25CC96FAA7BB9FF44754F104528FA16A76A0DB70E991DB50

Function 0041C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0041C182
GetLastError.KERNEL32 ref: 0041C195
SetEvent.KERNEL32(?), ref: 0041C1A9

Part of subcall function 0041C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0041C272
Part of subcall function 0041C253: GetLastError.KERNEL32 ref: 0041C322
Part of subcall function 0041C253: SetEvent.KERNEL32(?), ref: 0041C336
Part of subcall function 0041C253: InternetCloseHandle.WININET(00000000), ref: 0041C341

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 8c164ed7fbd708b3b1f89ef2d1980fc2fb8f1ec5d3f1739d6b83bb33044e6f4e
Instruction ID: 70028cc5ba43088e6073bab0ab1c4c0719307ee255c30ca20d903655e36b8bba
Opcode Fuzzy Hash: 8c164ed7fbd708b3b1f89ef2d1980fc2fb8f1ec5d3f1739d6b83bb33044e6f4e
Instruction Fuzzy Hash: 1331A371980601BFDB219FA5DD84AABBBF9FF18300B00546EF95692610C734E854DFA8

Function 004025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00403A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00403A57
Part of subcall function 00403A3D: GetCurrentThreadId.KERNEL32 ref: 00403A5E
Part of subcall function 00403A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004025B3), ref: 00403A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00402601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00402605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0040260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00402623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00402627

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 12b6dc7a8cb1ebefae1a78869921199e68c6f19b4f444977780130883e7aa1a1
Instruction ID: c52432a92790e778ea98707fcdd21af39e386d05378f9825adb1369813ac1b85
Opcode Fuzzy Hash: 12b6dc7a8cb1ebefae1a78869921199e68c6f19b4f444977780130883e7aa1a1
Instruction Fuzzy Hash: 9601B131390210BBFB106B699CCAF593E59DB4AB12F101026F318BE0D1C9F224449E6E

Function 00401803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00401449,?,?,00000000), ref: 0040180C
HeapAlloc.KERNEL32(00000000,?,00401449,?,?,00000000), ref: 00401813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00401449,?,?,00000000), ref: 00401828
GetCurrentProcess.KERNEL32(?,00000000,?,00401449,?,?,00000000), ref: 00401830
DuplicateHandle.KERNEL32(00000000,?,00401449,?,?,00000000), ref: 00401833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00401449,?,?,00000000), ref: 00401843
GetCurrentProcess.KERNEL32(00401449,00000000,?,00401449,?,?,00000000), ref: 0040184B
DuplicateHandle.KERNEL32(00000000,?,00401449,?,?,00000000), ref: 0040184E
CreateThread.KERNEL32(00000000,00000000,00401874,00000000,00000000,00000000), ref: 00401868

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 81a0a3695e7fc6ba3adece8c6e9561eb67eb5078eea46ceceba4ee73d95610d4
Instruction ID: 1c2eee257fbb7ad4a3a4a72839d85a4d81d633495402ab1cf62c9d63f3403bd1
Opcode Fuzzy Hash: 81a0a3695e7fc6ba3adece8c6e9561eb67eb5078eea46ceceba4ee73d95610d4
Instruction Fuzzy Hash: 3101AC75240304BFEA10AB65DC89F573B6CEB89B11F005421FA05EB1A1C6749C109F24

Function 003D3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 003D3F0B
__alldvrm.LIBCMT ref: 003D410C
__alldvrm.LIBCMT ref: 003D412E

Strings

}}<, xrefs: 003D3E8A
}}<, xrefs: 003D40CD
}}<, xrefs: 003D3E96, 003D3EF1, 003D3F0A, 003D4090

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}<$}}<$}}<
API String ID: 1036877536-1894432127
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 968f8a436d4f429c2e28fff9ef2c7b1f4a153eae24a46a9cdf1db467072631f8
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 32A12473E002869FDB278F28D8917AEBBE9EF61350F19416EE5859B381C2388D81C751

Function 0042A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0040D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0040D501
Part of subcall function 0040D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0040D50F
Part of subcall function 0040D4DC: CloseHandle.KERNELBASE(00000000), ref: 0040D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0042A16D
GetLastError.KERNEL32 ref: 0042A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0042A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0042A268
GetLastError.KERNEL32(00000000), ref: 0042A273
CloseHandle.KERNEL32(00000000), ref: 0042A2C4

Strings

SeDebugPrivilege, xrefs: 0042A18F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: db92edf967cd062671da51e4c3fd663c0d185668cf8482a31f087559b90067b7
Instruction ID: e2d07adaab44e7c725acd4aec5816168b259f2db68fb7b4a485633310c7d5e7d
Opcode Fuzzy Hash: db92edf967cd062671da51e4c3fd663c0d185668cf8482a31f087559b90067b7
Instruction Fuzzy Hash: E061AD302042529FD720DF14D494F26BBE1AF44318F58849DE8668F7A3C77AEC55CB96

Function 00433886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00433925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0043393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00433954
_wcslen.LIBCMT ref: 00433999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004339F4

Strings

SysListView32, xrefs: 004338F7

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 0e23ac55c79335dbb3b963341d7f33e2f360a73dafefaf411536521275138c9e
Instruction ID: 97d6a9bdd931b8303aeab7e19ac08d604e99a096e07f32669d1563e04db90d3f
Opcode Fuzzy Hash: 0e23ac55c79335dbb3b963341d7f33e2f360a73dafefaf411536521275138c9e
Instruction Fuzzy Hash: 5341A171A00218ABEB219F64CC45FEB7BA9EF0C354F10112AF958E7291D7759D80CB94

Function 0040BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0040BCFD
IsMenu.USER32(00000000), ref: 0040BD1D
CreatePopupMenu.USER32 ref: 0040BD53
GetMenuItemCount.USER32(00F65558), ref: 0040BDA4
InsertMenuItemW.USER32(00F65558,?,00000001,00000030), ref: 0040BDCC

Strings

2, xrefs: 0040BD37
0, xrefs: 0040BCA8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 7562488aa2a718f249cd077f74d1614f838dd5bac15c6885bc373078421d0bca
Instruction ID: 569ca6a6e73839d58a55cbb3b447dac6ffcdaff8830c89f061050e255617b289
Opcode Fuzzy Hash: 7562488aa2a718f249cd077f74d1614f838dd5bac15c6885bc373078421d0bca
Instruction Fuzzy Hash: 49519C70A00206EBDB11DFA9C884BAEBBE5EF45314F14423AE851B72D0D7789941CBAD

Function 003C2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003C2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 003C2D53
_ValidateLocalCookies.LIBCMT ref: 003C2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 003C2E0C
_ValidateLocalCookies.LIBCMT ref: 003C2E61

Strings

&H<, xrefs: 003C2DFE, 003C2E07, 003C2E18
csm, xrefs: 003C2DF6

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H<$csm
API String ID: 1170836740-2692662189
Opcode ID: e91ea5290bbfb4aa566fd38ce2bde86e173bd1abe89201570ed17d499ba4e45d
Instruction ID: d5d7b551be428dc9c0c56cce59d41d2ac98676b7768cde8477165468b5457e05
Opcode Fuzzy Hash: e91ea5290bbfb4aa566fd38ce2bde86e173bd1abe89201570ed17d499ba4e45d
Instruction Fuzzy Hash: B641A334A00209ABCF11DF68C849F9FBBA5BF44324F158169E825EB252DB319E15CB91

Function 0040C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0040C913

Strings

question, xrefs: 0040C8CC
info, xrefs: 0040C8B4
blank, xrefs: 0040C895
warning, xrefs: 0040C8FC
stop, xrefs: 0040C8E4

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 61c24a9cc461592f2e298c4e3f159e91b220a4f95b16da5981b0e025a7ef2af6
Instruction ID: f23ec5bc3c4509ddd30e4d15ac1361ff274994292d79abd636ea1b93dd4ec7dc
Opcode Fuzzy Hash: 61c24a9cc461592f2e298c4e3f159e91b220a4f95b16da5981b0e025a7ef2af6
Instruction Fuzzy Hash: C4112B76689306FAE7056B149CC2EAB279CDF15315B20413FF904F62C2E7786D0153AD

Function 0040DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0040DE42
gethostname.WSOCK32(?,00000100), ref: 0040DE5C
gethostbyname.WSOCK32(?), ref: 0040DE69
inet_ntoa.WSOCK32(?), ref: 0040DEAB
_strcat.LIBCMT ref: 0040DEB9
WSACleanup.WSOCK32 ref: 0040DEDE

Strings

0.0.0.0, xrefs: 0040DE87

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: f1f217891516eeec51a3fc28a1edda382cc04626a699f999f5ac1df421dcf9ae
Instruction ID: 984ad9bc1464aa79bf7a65dca95e023cdd61fdf7f3b8ef2f5995d26e2ffd3f22
Opcode Fuzzy Hash: f1f217891516eeec51a3fc28a1edda382cc04626a699f999f5ac1df421dcf9ae
Instruction Fuzzy Hash: 9711E132904115ABCB25BBA0DC4AEEF77ACDB11711F00017AF505FA1D1EF799A858BA8

Function 00439F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

GetSystemMetrics.USER32(0000000F), ref: 00439FC7
GetSystemMetrics.USER32(0000000F), ref: 00439FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0043A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0043A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0043A263
ShowWindow.USER32(00000003,00000000), ref: 0043A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0043A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0043A2CA

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 0898b4c1f53a589f520932febd69f83fa758bc27f25c23e4a7931d9f5f70c9a4
Instruction ID: 1adf7b6d12ff42205e91668879a62b98933021b2a1f884c8565e2ee97d06355d
Opcode Fuzzy Hash: 0898b4c1f53a589f520932febd69f83fa758bc27f25c23e4a7931d9f5f70c9a4
Instruction Fuzzy Hash: AEB1CB31640215DFDF14CF68C9857AE3BB2BF48301F0890AAEC89AB395D739A950CB56

Function 0040ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0040ED2A
_wcslen.LIBCMT ref: 0040ED3B
_wcslen.LIBCMT ref: 0040ED79
_wcslen.LIBCMT ref: 0040EDAF
_wcslen.LIBCMT ref: 0040EDDF
_wcslen.LIBCMT ref: 0040EDEF
_wcslen.LIBCMT ref: 0040EE2B
_wcslen.LIBCMT ref: 0040EE5A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: c476e1b9aefc70702912c4485b21a70431a3358da45d530d23f6a5b169b73dc6
Instruction ID: cf65b18c56c928277632d96baf1db032e405b799b951b2f39693b8e25f66ff3b
Opcode Fuzzy Hash: c476e1b9aefc70702912c4485b21a70431a3358da45d530d23f6a5b169b73dc6
Instruction Fuzzy Hash: C441A365C1011875CB12EBB5C88AECFB7A8AF45310F50886AF518F7162FB34D655C3E9

Function 003BF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,003F682C,00000004,00000000,00000000), ref: 003BF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,003F682C,00000004,00000000,00000000), ref: 003FF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,003F682C,00000004,00000000,00000000), ref: 003FF454

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e5dc07115bf83816e1aab446f6dd1fdc835d31070375f65483605319c009afc1
Instruction ID: c601ed16078f96572bb6fc000f3ebd7f515f830ecfa404577a1f8ad4ced90922
Opcode Fuzzy Hash: e5dc07115bf83816e1aab446f6dd1fdc835d31070375f65483605319c009afc1
Instruction Fuzzy Hash: E8411831608680FEC73B9B2D8C887BA7B95AF5631CF15643DE78766D60C731A880DB11

Function 00432D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00432D1B
GetDC.USER32(00000000), ref: 00432D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00432D2E
ReleaseDC.USER32(00000000,00000000), ref: 00432D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00432D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00432D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00435A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00432DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00432DE1

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b47701cc55e161813a2d6314af986943099c13cb9c63b6be82a5ee760cfd13f5
Instruction ID: c8ff134d6e0277581398eff177ba3f4d1bfd8ac94c11edc6cdd9296bcbaf68aa
Opcode Fuzzy Hash: b47701cc55e161813a2d6314af986943099c13cb9c63b6be82a5ee760cfd13f5
Instruction Fuzzy Hash: 9A318072201214BFEB114F50CC8AFEB3FADEF09755F045065FE48AA291C6B59C51CBA8

Function 00405622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00405637
_memcmp.LIBVCRUNTIME ref: 00405659
_memcmp.LIBVCRUNTIME ref: 00405671
_memcmp.LIBVCRUNTIME ref: 00405684
_memcmp.LIBVCRUNTIME ref: 0040569E
_memcmp.LIBVCRUNTIME ref: 004056B1
_memcmp.LIBVCRUNTIME ref: 004056C9
_memcmp.LIBVCRUNTIME ref: 004056E4

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c402720adaaac4ee533c0df7d35a1906387282ffde2fb2d9702147adbf70b8a5
Instruction ID: 9e3b75ea010724389bb5f503869a8374363d7f27ee83a7e45d8ef185f2b022ef
Opcode Fuzzy Hash: c402720adaaac4ee533c0df7d35a1906387282ffde2fb2d9702147adbf70b8a5
Instruction Fuzzy Hash: F7212865A40A0877D20455208E82FBB334CFE26388F501437FD08AE6C2F73AED159EAD

Function 00424FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0042502E, 00425383
Not an Object type, xrefs: 00425007

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 20f08ef6504dd4ff433b9da7076e9b6713e5d81d365fc5fea00a5bab70cde06f
Instruction ID: 232189fcb9211675c6ae88241a25c90232888f2e0e9b89793dd8ebfe0f1dc20a
Opcode Fuzzy Hash: 20f08ef6504dd4ff433b9da7076e9b6713e5d81d365fc5fea00a5bab70cde06f
Instruction Fuzzy Hash: 76D1A071B0061A9FDF10CF98E880BAEB7B5BF48344F54806AE915AB381E774DD41CBA4

Function 003E1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 003E15CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 003E1651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003E16E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 003E16FB

Part of subcall function 003D3820: RtlAllocateHeap.NTDLL(00000000,?,00471444,?,003BFDF5,?,?,003AA976,00000010,00471440,003A13FC,?,003A13C6,?,003A1129), ref: 003D3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003E1777
__freea.LIBCMT ref: 003E17A2
__freea.LIBCMT ref: 003E17AE

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: b3cb9c871e0b25ad8ac93daa40b1adc07d525bfc9f0817d63876b4021bf53ac3
Instruction ID: a31ef1898c1aa1e268f4f7b3ce876149544b08c8a9415ca8470e98b2b894cfb5
Opcode Fuzzy Hash: b3cb9c871e0b25ad8ac93daa40b1adc07d525bfc9f0817d63876b4021bf53ac3
Instruction Fuzzy Hash: BE91C672E002A69ADF228F76C881EEE7BB5AF45710F194769E801E72C1D735DD44CB60

Function 00424523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00424648
VariantInit.OLEAUT32(?), ref: 00424749
VariantClear.OLEAUT32(?), ref: 00424753
VariantClear.OLEAUT32(?), ref: 004247B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 004245D8, 00424706, 004247BE
Incorrect Object type in FOR..IN loop, xrefs: 0042472C

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: e61099760e93781c9f8ba2fb0a910d1eefc83d1f9fb82c6ea8289265d4b2cd94
Instruction ID: 2002acd2d66689edc96852eb29423560910d86cbe2af9ff1eea8eedf08115d42
Opcode Fuzzy Hash: e61099760e93781c9f8ba2fb0a910d1eefc83d1f9fb82c6ea8289265d4b2cd94
Instruction Fuzzy Hash: 8F919371A00225AFDF20CFA5D844FAFBBB8EF86714F10855AF515AB280D7789941CFA4

Function 00411187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0041125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00411284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0041135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00411430

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 72265dc4b1d90ffbeb1f3d395ef48fac8755fc2516b17693d982df3300666965
Instruction ID: ada8e3125044e1dd3d7c48dc9f5b1b5b7cc70aaeb14401aa21f108bb491f9cd2
Opcode Fuzzy Hash: 72265dc4b1d90ffbeb1f3d395ef48fac8755fc2516b17693d982df3300666965
Instruction Fuzzy Hash: 34912671A002199FDB01DFA4D884BFEB7B5FF45714F14402AEA01EB2A1D778A981CF99

Function 003B948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5c0e996fae05dce471ca976eca2451533a6367ce7689dfb4a92f0f353dc8d951
Instruction ID: 38bcddd4719c59717dd16acba27f865518173538992aab0a6f130280c1b50423
Opcode Fuzzy Hash: 5c0e996fae05dce471ca976eca2451533a6367ce7689dfb4a92f0f353dc8d951
Instruction Fuzzy Hash: 68916971D40219EFCB16CFA9CC84AEEBBB8FF49324F148456E615B7251D374AA41CBA0

Function 00423947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0042396B
CharUpperBuffW.USER32(?,?), ref: 00423A7A
_wcslen.LIBCMT ref: 00423A8A
VariantClear.OLEAUT32(?), ref: 00423C1F

Part of subcall function 00410CDF: VariantInit.OLEAUT32(00000000), ref: 00410D1F
Part of subcall function 00410CDF: VariantCopy.OLEAUT32(?,?), ref: 00410D28
Part of subcall function 00410CDF: VariantClear.OLEAUT32(?), ref: 00410D34

Strings

Incorrect Parameter format, xrefs: 004239A6, 00423BA1
AUTOIT.ERROR, xrefs: 00423A80, 00423A85

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 49fe47c65a6f3abbff4ed683d12f6f6cc36f0754b192ed815b96d6f3ad09163f
Instruction ID: d66e608501fa3b14dedceabb4fb70d8968872d23830b93e2734ceee8a8854124
Opcode Fuzzy Hash: 49fe47c65a6f3abbff4ed683d12f6f6cc36f0754b192ed815b96d6f3ad09163f
Instruction Fuzzy Hash: 6F9165756083119FC700EF24D48096ABBE4FF89314F04882EF88A9B351DB38EE45CB96

Function 00424BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0040000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?,?,0040035E), ref: 0040002B
Part of subcall function 0040000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?), ref: 00400046
Part of subcall function 0040000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?), ref: 00400054
Part of subcall function 0040000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?), ref: 00400064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00424C51
_wcslen.LIBCMT ref: 00424D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00424DCF
CoTaskMemFree.OLE32(?), ref: 00424DDA

Strings

NULL Pointer assignment, xrefs: 00424E23, 00424E52

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 2d26ffd265d9261955110aa6b357c473356936b336e0f656a1e607162f0a55fd
Instruction ID: 0e0386e66f2cfb03805de32f1e34fdb9e99b7f012aaf28500c6822b7df31c25b
Opcode Fuzzy Hash: 2d26ffd265d9261955110aa6b357c473356936b336e0f656a1e607162f0a55fd
Instruction Fuzzy Hash: D8912671D00229AFDF15DFA4D881AEEB7B8FF48304F50816AE915BB241DB389A45CF64

Function 004320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00432183
GetMenuItemCount.USER32(00000000), ref: 004321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004321DD
_wcslen.LIBCMT ref: 00432213
GetMenuItemID.USER32(?,?), ref: 0043224D
GetSubMenu.USER32(?,?), ref: 0043225B

Part of subcall function 00403A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00403A57
Part of subcall function 00403A3D: GetCurrentThreadId.KERNEL32 ref: 00403A5E
Part of subcall function 00403A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004025B3), ref: 00403A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004322E3

Part of subcall function 0040E97B: Sleep.KERNEL32 ref: 0040E9F3

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: a7e70950b85adff172d972e1858891b4097b201e171d341922f433f20f9762a5
Instruction ID: 941506635308971e7d34904a5a718e368464f474ceaae419ff4c9c9b4e40cae3
Opcode Fuzzy Hash: a7e70950b85adff172d972e1858891b4097b201e171d341922f433f20f9762a5
Instruction Fuzzy Hash: 0671AF35A00215AFCB11EF64C981AAEB7F1EF4D310F1094AAE916FB351D778ED418B94

Function 00437E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00F655D0), ref: 00437F37
IsWindowEnabled.USER32(00F655D0), ref: 00437F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0043801E
SendMessageW.USER32(00F655D0,000000B0,?,?), ref: 00438051
IsDlgButtonChecked.USER32(?,?), ref: 00438089
GetWindowLongW.USER32(00F655D0,000000EC), ref: 004380AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 004380C3

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 44a5fda51d0997b9ad217452438f3fb9bd999864230588174121b49762a7ed1d
Instruction ID: 9634fce7565baae8eae7cb3032d38f7c798add568ae91929f62848d8c13f24a0
Opcode Fuzzy Hash: 44a5fda51d0997b9ad217452438f3fb9bd999864230588174121b49762a7ed1d
Instruction Fuzzy Hash: E9718CB4608204AFEB359F64C884FABBBB5FF0D300F14605AF99597361CB39A845DB18

Function 0040AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040AEF9
GetKeyboardState.USER32(?), ref: 0040AF0E
SetKeyboardState.USER32(?), ref: 0040AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0040AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0040AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0040AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0040B020

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1299dfce9ef73ab23abefaa01f2efe37a76270fc239d79dc75d8ab0828f4618d
Instruction ID: f6b91e0cf5d6d1637bd32f162d5995f1336e43e8b96792ae84184ce6e27a9a3a
Opcode Fuzzy Hash: 1299dfce9ef73ab23abefaa01f2efe37a76270fc239d79dc75d8ab0828f4618d
Instruction Fuzzy Hash: D951B4A06047D63DFB368334C845BBB7EA99B06304F0885AAE1D5655C2C3BCACD4D799

Function 0040ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0040AD19
GetKeyboardState.USER32(?), ref: 0040AD2E
SetKeyboardState.USER32(?), ref: 0040AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0040ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0040ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0040AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0040AE38

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c3600d5b4c6129068d7a5d19e558d911e8b47b74264f7b4d3b6cb73057f7f75e
Instruction ID: 2da1397768b04de001af7f66cbd87115695ee67f03b7927b56f7cee0efe9f4c5
Opcode Fuzzy Hash: c3600d5b4c6129068d7a5d19e558d911e8b47b74264f7b4d3b6cb73057f7f75e
Instruction Fuzzy Hash: 4051E4A15447D13DFB328334CC85B7B7E995F46300F0884AAE1D5669C2D2BCECA8D79A

Function 003D542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(003E3CD6,?,?,?,?,?,?,?,?,003D5BA3,?,?,003E3CD6,?,?), ref: 003D5470
__fassign.LIBCMT ref: 003D54EB
__fassign.LIBCMT ref: 003D5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,003E3CD6,00000005,00000000,00000000), ref: 003D552C
WriteFile.KERNEL32(?,003E3CD6,00000000,003D5BA3,00000000,?,?,?,?,?,?,?,?,?,003D5BA3,?), ref: 003D554B
WriteFile.KERNEL32(?,?,00000001,003D5BA3,00000000,?,?,?,?,?,?,?,?,?,003D5BA3,?), ref: 003D5584

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 57807862d1e9a389af525bec7734a5d657c2da953fa97a13171fbb8aa21fc72f
Instruction ID: d98e2f5a675d717a074a9000fb700d8987bff1eb67670a18018459403e99e302
Opcode Fuzzy Hash: 57807862d1e9a389af525bec7734a5d657c2da953fa97a13171fbb8aa21fc72f
Instruction Fuzzy Hash: 0A51D7719006499FDB12CFA8E881AEEBBF9EF09300F14411BF556E7391D7309A41CB60

Function 004210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0042304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0042307A
Part of subcall function 0042304E: _wcslen.LIBCMT ref: 0042309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00421112
WSAGetLastError.WSOCK32 ref: 00421121
WSAGetLastError.WSOCK32 ref: 004211C9
closesocket.WSOCK32(00000000), ref: 004211F9

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 58e0af90ac755396ed007fa2b5d19fdb22e7e542ceb1e6e568a7998ecb008854
Instruction ID: acf3ff6c155c22310db818a584a13eb73091ee5c6323ae544844026af9a07b2a
Opcode Fuzzy Hash: 58e0af90ac755396ed007fa2b5d19fdb22e7e542ceb1e6e568a7998ecb008854
Instruction Fuzzy Hash: 7241D731600214AFDB109F14D885BBAB7E9FF45314F54806AFD15AB291C778AE41CBE5

Function 0040CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0040CF22,?), ref: 0040DDFD

Part of subcall function 0040DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0040CF22,?), ref: 0040DE16

lstrcmpiW.KERNEL32(?,?), ref: 0040CF45
MoveFileW.KERNEL32(?,?), ref: 0040CF7F
_wcslen.LIBCMT ref: 0040D005
_wcslen.LIBCMT ref: 0040D01B
SHFileOperationW.SHELL32(?), ref: 0040D061

Strings

\*.*, xrefs: 0040CFF3

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 4c2fa0f077dd90f5c785acf4b287ea178ec0969dee40806ea32947ed838fd3f5
Instruction ID: c2e5193e7ac4a0a6e6c8bd70fe0fd4d729ba691681f81270c497df80124d6d47
Opcode Fuzzy Hash: 4c2fa0f077dd90f5c785acf4b287ea178ec0969dee40806ea32947ed838fd3f5
Instruction Fuzzy Hash: 62415771D452199EDF12EBA4D981EDE77B8AF08340F1000FBE505FB181EB38AA48CB55

Function 00432DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00432E1C
GetWindowLongW.USER32(?,000000F0), ref: 00432E4F
GetWindowLongW.USER32(?,000000F0), ref: 00432E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00432EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00432EE0
GetWindowLongW.USER32(?,000000F0), ref: 00432EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00432F0B

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: b85aba25872b8289ac5f072a7cf4058b5ce0eed81cdc8bd65b5fea75b778e208
Instruction ID: 6f25e561f6f36a59effc36464a0118387242dba42b77e05f048c539da22206d9
Opcode Fuzzy Hash: b85aba25872b8289ac5f072a7cf4058b5ce0eed81cdc8bd65b5fea75b778e208
Instruction Fuzzy Hash: 3D312631604250AFEB20CF18DE86F6637E0FB4E710F142166FA049F2B1CBB5A881DB49

Function 00407726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00407769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0040778F
SysAllocString.OLEAUT32(00000000), ref: 00407792
SysAllocString.OLEAUT32(?), ref: 004077B0
SysFreeString.OLEAUT32(?), ref: 004077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004077DE
SysAllocString.OLEAUT32(?), ref: 004077EC

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: eaaf545069b8e2cea0a4266568fe6c38825248ec47eaee4dced1d2e5e2b5afb8
Instruction ID: d507e32f8843ac2a45cb0d69c72e3c0f0f0bdef8a9b6c475680a4a104e4e0acb
Opcode Fuzzy Hash: eaaf545069b8e2cea0a4266568fe6c38825248ec47eaee4dced1d2e5e2b5afb8
Instruction Fuzzy Hash: A821DB76A04219AFDF10DFA8CC84CBB77ACEB093647004036FA04EB290D674FC418B69

Function 004077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00407842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00407868
SysAllocString.OLEAUT32(00000000), ref: 0040786B
SysAllocString.OLEAUT32 ref: 0040788C
SysFreeString.OLEAUT32 ref: 00407895
StringFromGUID2.OLE32(?,?,00000028), ref: 004078AF
SysAllocString.OLEAUT32(?), ref: 004078BD

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 83477ff34128ff9854b593c65a3efd3cafe69b1639e36ba52ffb89a776ba4a3f
Instruction ID: 75a4dec4a1fd4f54f5160675ca9d9bc91b18b06998f894eae968217a3f7e2e0a
Opcode Fuzzy Hash: 83477ff34128ff9854b593c65a3efd3cafe69b1639e36ba52ffb89a776ba4a3f
Instruction Fuzzy Hash: 3F216532A04104AFDB10AFA8DC88DAB77ACEB097607108136F915EB2A1D674EC41CB69

Function 004104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0041052E

Strings

nul, xrefs: 00410567

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4f1f2a3f7f06e178fd0517450461dc5c6ced684d2e8a3e882244264835affbf4
Instruction ID: 145d72a42586ad04991780144b7e1ce65f16895cc5e7e854402c1ab7c2558239
Opcode Fuzzy Hash: 4f1f2a3f7f06e178fd0517450461dc5c6ced684d2e8a3e882244264835affbf4
Instruction Fuzzy Hash: 04216D75500305ABDB209F69DC44BDA7BA5AF44764F204A2AFCA1E62E0D7B499D0CF28

Function 004105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00410601

Strings

nul, xrefs: 00410639

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2d8672ecfc06b39add9118174b09bfc5bfc3323becf01e75e994211e0455db9b
Instruction ID: a46a248581df07818427fc7e585e2e32f8cb80c20544b48a7eee06c580adc576
Opcode Fuzzy Hash: 2d8672ecfc06b39add9118174b09bfc5bfc3323becf01e75e994211e0455db9b
Instruction Fuzzy Hash: F02183755003059BDB209F69DC44ADB77E4AF95724F200A1AFCA1E72D0D7F498E1CB18

Function 004340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003A604C
Part of subcall function 003A600E: GetStockObject.GDI32(00000011), ref: 003A6060
Part of subcall function 003A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003A606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00434112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0043411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0043412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00434139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00434145

Strings

Msctls_Progress32, xrefs: 004340E3

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3da530a8d64584b4cc5cff9c0a691d350e987fe88154917c11dbdbeff5ac4fdf
Instruction ID: 0ce9cd443a2882665454825cac0b4e4bbff33d7f628d47543f6dc52a119371a6
Opcode Fuzzy Hash: 3da530a8d64584b4cc5cff9c0a691d350e987fe88154917c11dbdbeff5ac4fdf
Instruction Fuzzy Hash: 4D11B2B2140219BEEF119F64CC86EE77F6DEF08798F015111FA18A6150CB769C61DBA8

Function 003DD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003DD7A3: _free.LIBCMT ref: 003DD7CC

_free.LIBCMT ref: 003DD82D

Part of subcall function 003D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000), ref: 003D29DE
Part of subcall function 003D29C8: GetLastError.KERNEL32(00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000,00000000), ref: 003D29F0

_free.LIBCMT ref: 003DD838
_free.LIBCMT ref: 003DD843
_free.LIBCMT ref: 003DD897
_free.LIBCMT ref: 003DD8A2
_free.LIBCMT ref: 003DD8AD
_free.LIBCMT ref: 003DD8B8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 265cc5e0cbabb33a9fba450bf46c42fe4c22b2b3fd43c6cfef40796dc1aabeb9
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D8113A72540B04AAD623BFB0EC47FCB7BDCBF11700F400826B29DAA292DB76B5159660

Function 0040DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0040DA74
LoadStringW.USER32(00000000), ref: 0040DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0040DA91
LoadStringW.USER32(00000000), ref: 0040DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0040DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0040DAB9

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 15c6de713d94d2fd72d97f43ab22f1530df3e9d780d1399765cfb4126b80a0d6
Instruction ID: f4edd72c886a2f16d28da89602b03ac74e676985764b843026b4a06d4c73324c
Opcode Fuzzy Hash: 15c6de713d94d2fd72d97f43ab22f1530df3e9d780d1399765cfb4126b80a0d6
Instruction Fuzzy Hash: 0A0162F29002087FEB109BE09DC9EE7326CE708301F4054A6B716F2081EA789E844F79

Function 0041096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00F5E498,00F5E498), ref: 0041097B
EnterCriticalSection.KERNEL32(00F5E478,00000000), ref: 0041098D
TerminateThread.KERNEL32(?,000001F6), ref: 0041099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004109A9
CloseHandle.KERNEL32(?), ref: 004109B8
InterlockedExchange.KERNEL32(00F5E498,000001F6), ref: 004109C8
LeaveCriticalSection.KERNEL32(00F5E478), ref: 004109CF

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 33143b0e301424a9d5cd04bbf52ad5686c147b6c9e0845420057295f5a233265
Instruction ID: ccfc7efa956971b071b7d541538613a290665ad9462b22404ab3366e3e458765
Opcode Fuzzy Hash: 33143b0e301424a9d5cd04bbf52ad5686c147b6c9e0845420057295f5a233265
Instruction Fuzzy Hash: 88F0CD71442512ABE7515B94EEC9AD77A25BF05702F402066F101608A1C7B594B5CF98

Function 003A5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 003A5D30
GetWindowRect.USER32(?,?), ref: 003A5D71
ScreenToClient.USER32(?,?), ref: 003A5D99
GetClientRect.USER32(?,?), ref: 003A5ED7
GetWindowRect.USER32(?,?), ref: 003A5EF8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 79134518b911e8e4356a984dbdea29b7622419195bbfdc47672ad2cc859bd9a1
Instruction ID: ae98e0f2237d918b4aef6f5181ac5ca634407581093a804e1c93cf5ac5e24380
Opcode Fuzzy Hash: 79134518b911e8e4356a984dbdea29b7622419195bbfdc47672ad2cc859bd9a1
Instruction Fuzzy Hash: 6CB19D35A0078ADBDB15CFA9C480BEEB7F1FF58310F14851AE8A9D7690D734AA50CB54

Function 003D01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 003D00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003D00D6
__allrem.LIBCMT ref: 003D00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003D010B
__allrem.LIBCMT ref: 003D0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003D0140

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 54d44792d601d2b78498f741d16ed2c9ff53ceb528949c21ed6a11ca27406ecf
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: F681E377A00706AFE726AE29DC41B6AB3A9EF41B24F25462FF451DB781E770DD008790

Function 00421D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00423149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0042101C,00000000,?,?,00000000), ref: 00423195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00421DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00421DE1
WSAGetLastError.WSOCK32 ref: 00421DF2
inet_ntoa.WSOCK32(?), ref: 00421E8C
htons.WSOCK32(?,?,?,?,?), ref: 00421EDB
_strlen.LIBCMT ref: 00421F35

Part of subcall function 004039E8: _strlen.LIBCMT ref: 004039F2

Part of subcall function 003A6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,003BCF58,?,?,?), ref: 003A6DBA
Part of subcall function 003A6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,003BCF58,?,?,?), ref: 003A6DED

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 2cdd3d0eadc2046ed5fa139f93e5d1928d0050d99c5c9a4f1c399c010903dba8
Instruction ID: 64eb0e53d0bea4a1bc4877dd4548eaacb690f3bce36d3236eac7641ca6611e46
Opcode Fuzzy Hash: 2cdd3d0eadc2046ed5fa139f93e5d1928d0050d99c5c9a4f1c399c010903dba8
Instruction Fuzzy Hash: CEA1EE31604350AFC325DF20D881F2BBBA5AF95318F94895DF4565F2A2CB35EE42CB92

Function 003D61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003C82D9,003C82D9,?,?,?,003D644F,00000001,00000001,8BE85006), ref: 003D6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003D644F,00000001,00000001,8BE85006,?,?,?), ref: 003D62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003D63D8
__freea.LIBCMT ref: 003D63E5

Part of subcall function 003D3820: RtlAllocateHeap.NTDLL(00000000,?,00471444,?,003BFDF5,?,?,003AA976,00000010,00471440,003A13FC,?,003A13C6,?,003A1129), ref: 003D3852

__freea.LIBCMT ref: 003D63EE
__freea.LIBCMT ref: 003D6413

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 189bad5694d1e6787f1159cc1baef2fd222590038b0277de1b970d43be69d3a5
Instruction ID: a5dcaba8f2705cf400a542aa1cc614471f4ce1fdc3105eaa343b68273640f46e
Opcode Fuzzy Hash: 189bad5694d1e6787f1159cc1baef2fd222590038b0277de1b970d43be69d3a5
Instruction Fuzzy Hash: 6451F373A00216ABDB278F64EC82EAF77A9EB44710F16472AFC25DA251DB34DC44D660

Function 0042BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 0042C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0042B6AE,?,?), ref: 0042C9B5
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042C9F1
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA68
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0042BD25
RegCloseKey.ADVAPI32(00000000), ref: 0042BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0042BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0042BDF3
RegCloseKey.ADVAPI32(?), ref: 0042BDFF

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 3c272b92bf3d55a6dba69cefae46a1d15fe67901c26f9695c53c589e80f042b7
Instruction ID: 3f13aa60461a1231c6e23a0b82f017b7b1b0433eaf822a6c117cb630aa83254c
Opcode Fuzzy Hash: 3c272b92bf3d55a6dba69cefae46a1d15fe67901c26f9695c53c589e80f042b7
Instruction Fuzzy Hash: D381CC30208241AFC715DF24D881E6BBBE5FF85308F54886EF5598B2A2CB35ED45CB92

Function 003FF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 003FF7B9
SysAllocString.OLEAUT32(00000001), ref: 003FF860
VariantCopy.OLEAUT32(003FFA64,00000000), ref: 003FF889
VariantClear.OLEAUT32(003FFA64), ref: 003FF8AD
VariantCopy.OLEAUT32(003FFA64,00000000), ref: 003FF8B1
VariantClear.OLEAUT32(?), ref: 003FF8BB

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 34cddb5523203f80ec2b644417989264e753696c45a849d9f5760140df86123b
Instruction ID: 5eeb9ab8b3d3cddb6ae824cf3664108a46381801159a2b3aeaf1cb61abcc969c
Opcode Fuzzy Hash: 34cddb5523203f80ec2b644417989264e753696c45a849d9f5760140df86123b
Instruction Fuzzy Hash: 5551D635500318FECF22AB65D895B3AB3A8EF45310F249467EE05EF296DBB08C40DB56

Function 0041910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 003A7620: _wcslen.LIBCMT ref: 003A7625

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004194E5
_wcslen.LIBCMT ref: 00419506
_wcslen.LIBCMT ref: 0041952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00419585

Strings

X, xrefs: 00419412

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: f55f8cc7e6713d537d430e595ded5c4f2e609e63e4f13af84ba49b339aa9c381
Instruction ID: 74543240a7319418163efc4879d404daa715c38d473a1e08d7c6baab3ed6e389
Opcode Fuzzy Hash: f55f8cc7e6713d537d430e595ded5c4f2e609e63e4f13af84ba49b339aa9c381
Instruction Fuzzy Hash: B4E1B1316083009FC715DF24C891AAAB7E5FF86314F04896EF8999B3A2DB34DD45CB96

Function 003B920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

BeginPaint.USER32(?,?,?), ref: 003B9241
GetWindowRect.USER32(?,?), ref: 003B92A5
ScreenToClient.USER32(?,?), ref: 003B92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003B92D3
EndPaint.USER32(?,?,?,?,?), ref: 003B9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003F71EA

Part of subcall function 003B9339: BeginPath.GDI32(00000000), ref: 003B9357

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 7be1907ca209416c16051218b7d8be35078746730d1b6e4c1666014b91741beb
Instruction ID: 865f61c88c2813e48367b2e71163736d1ebd54d5e8d042f6ab7de451d1c5bb57
Opcode Fuzzy Hash: 7be1907ca209416c16051218b7d8be35078746730d1b6e4c1666014b91741beb
Instruction Fuzzy Hash: DD419FB1104204AFD712DF28CC85FBA7BA8EB49324F14066AFB989B6B1C7319845DB65

Function 004107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0041080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00410847
EnterCriticalSection.KERNEL32(?), ref: 00410863
LeaveCriticalSection.KERNEL32(?), ref: 004108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00410921

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 6069fd60bd9373881aaca17cfda58e30b8a60f4cd84c371c3e181f22e6eb3064
Instruction ID: 358158edacd6e39bf33041dbee34d99de0399a246fdad965eb0ff48b299c2fca
Opcode Fuzzy Hash: 6069fd60bd9373881aaca17cfda58e30b8a60f4cd84c371c3e181f22e6eb3064
Instruction Fuzzy Hash: DF417B71900205EFDF15AF64DC85AAA7779FF04304F1040B9ED00AE296DB74DEA0DBA4

Function 004381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,003FF3AB,00000000,?,?,00000000,?,003F682C,00000004,00000000,00000000), ref: 0043824C
EnableWindow.USER32(?,00000000), ref: 00438272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004382D1
ShowWindow.USER32(?,00000004), ref: 004382E5
EnableWindow.USER32(?,00000001), ref: 0043830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0043832F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f4b85541a17ae41089962fd31a1fdf7508d1811e6f220a6a016c964b8a7d3b3a
Instruction ID: 76bc8611c43b91da5f159bba5104100165383127a62aef36d21b09f4524b099d
Opcode Fuzzy Hash: f4b85541a17ae41089962fd31a1fdf7508d1811e6f220a6a016c964b8a7d3b3a
Instruction Fuzzy Hash: FA418474601744AFDB11CF15C895BA6BBE0BB0D714F1861BEFA185B372CB36A841CB58

Function 00404C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00404CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00404CEA
_wcslen.LIBCMT ref: 00404D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00404D10
_wcsstr.LIBVCRUNTIME ref: 00404D1A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: bcfae019ec1108dd31ffb0622247f620c286e10e6367d23262c5220f110625f5
Instruction ID: c329de15916345a579704e0a9a82f6ea4ac5c4f95b2340d01a2dec6ccc24ec09
Opcode Fuzzy Hash: bcfae019ec1108dd31ffb0622247f620c286e10e6367d23262c5220f110625f5
Instruction Fuzzy Hash: C721D7B12042007BFB165B35AC4AE7B7B9CDF85750F10403AFA05EA2D1DA75DD0197A4

Function 0041581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 003A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003A3A97,?,?,003A2E7F,?,?,?,00000000), ref: 003A3AC2

_wcslen.LIBCMT ref: 0041587B
CoInitialize.OLE32(00000000), ref: 00415995
CoCreateInstance.OLE32(0043FCF8,00000000,00000001,0043FB68,?), ref: 004159AE
CoUninitialize.OLE32 ref: 004159CC

Strings

.lnk, xrefs: 00415876, 004158C1, 00415985

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 3aacda585111bf74bcdd49a26aca7167edacc2520a3b0ae3859bc30051717595
Instruction ID: f289b5fcc503dd32eb516601e8abed3ecc53556820895bb688109a52b0bfd081
Opcode Fuzzy Hash: 3aacda585111bf74bcdd49a26aca7167edacc2520a3b0ae3859bc30051717595
Instruction Fuzzy Hash: 36D15570608701DFC714EF24C480AAABBE1EF8A714F14885EF8899B361D735EC85CB96

Function 0040175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00400FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00400FCA
Part of subcall function 00400FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00400FD6
Part of subcall function 00400FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00400FE5
Part of subcall function 00400FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00400FEC
Part of subcall function 00400FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00401002

GetLengthSid.ADVAPI32(?,00000000,00401335), ref: 004017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004017BA
HeapAlloc.KERNEL32(00000000), ref: 004017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004017DA
GetProcessHeap.KERNEL32(00000000,00000000,00401335), ref: 004017EE
HeapFree.KERNEL32(00000000), ref: 004017F5

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: e4beea1bcf3e48f9cbceb575b3931093d67cc856680050ce9a164fbeb492049e
Instruction ID: fa6cd50e243ef2f8e9fdadbb1159ea9118c79f725ea1555cab43b86155ebbf92
Opcode Fuzzy Hash: e4beea1bcf3e48f9cbceb575b3931093d67cc856680050ce9a164fbeb492049e
Instruction Fuzzy Hash: F6117C32500205EFDB149FA4CC89BAFBBB9EB46355F10402AF481B72A1D739A944DB68

Function 004014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00401506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00401515
CloseHandle.KERNEL32(00000004), ref: 00401520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0040154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00401563

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 2d17e8cd9dc002425f647639a997e8eb59437404bf4df2871355c4ec871ad96c
Instruction ID: 29b4032e1be978f65fbf576e92331ab11ff67c25467a4a3c5363e6ffd91f2563
Opcode Fuzzy Hash: 2d17e8cd9dc002425f647639a997e8eb59437404bf4df2871355c4ec871ad96c
Instruction Fuzzy Hash: B2112972500249ABDF119FA8DE89BDE7BA9EF48744F044025FE05B21A0C3758E65DB64

Function 003C3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003C3379,003C2FE5), ref: 003C3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003C339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003C33B7
SetLastError.KERNEL32(00000000,?,003C3379,003C2FE5), ref: 003C3409

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3cad4a29a297df84b377f965aa3dfacf6228ed6cfa473e5e757e28d6cb90038c
Instruction ID: d45023347d08c4f1c01d3f0ed1e73429bbaf9937bc203ae930c125f468bc8d6b
Opcode Fuzzy Hash: 3cad4a29a297df84b377f965aa3dfacf6228ed6cfa473e5e757e28d6cb90038c
Instruction Fuzzy Hash: 4701B13360D351AEA62727B57CD5F662A94EB15379720823EF410C92F0EF614D115788

Function 003D2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003D5686,003E3CD6,?,00000000,?,003D5B6A,?,?,?,?,?,003CE6D1,?,00468A48), ref: 003D2D78
_free.LIBCMT ref: 003D2DAB
_free.LIBCMT ref: 003D2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,003CE6D1,?,00468A48,00000010,003A4F4A,?,?,00000000,003E3CD6), ref: 003D2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,003CE6D1,?,00468A48,00000010,003A4F4A,?,?,00000000,003E3CD6), ref: 003D2DEC
_abort.LIBCMT ref: 003D2DF2

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 579fada5a882439e93d7c55f6dd93cf02dfc703aa55d4d32f6b3a7cecc756335
Instruction ID: 18c2481ea0f9d110aee2baa96667ee640d37741574cbe762b99a6ee22fe9b840
Opcode Fuzzy Hash: 579fada5a882439e93d7c55f6dd93cf02dfc703aa55d4d32f6b3a7cecc756335
Instruction Fuzzy Hash: 86F0C8339456006BC2232738BC4AE5F255BAFE27A1F26442BF874A73D2EF748C115275

Function 00438A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 003B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003B9693
Part of subcall function 003B9639: SelectObject.GDI32(?,00000000), ref: 003B96A2
Part of subcall function 003B9639: BeginPath.GDI32(?), ref: 003B96B9
Part of subcall function 003B9639: SelectObject.GDI32(?,00000000), ref: 003B96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00438A4E
LineTo.GDI32(?,00000003,00000000), ref: 00438A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00438A70
LineTo.GDI32(?,00000000,00000003), ref: 00438A80
EndPath.GDI32(?), ref: 00438A90
StrokePath.GDI32(?), ref: 00438AA0

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: dea062a542b89c69e875b79cc84c9c88073d5caaa10dc8a550edc6d0c02445fb
Instruction ID: b44bc660fd47eef673169a1858d196d582c534812953d61714ceef7e6ad4d044
Opcode Fuzzy Hash: dea062a542b89c69e875b79cc84c9c88073d5caaa10dc8a550edc6d0c02445fb
Instruction Fuzzy Hash: 7611DB7600014DFFDF129F94DC88FAA7F6DEB08354F048026BA19AA1A1C7719D55DFA4

Function 004051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00405218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00405229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00405230
ReleaseDC.USER32(00000000,00000000), ref: 00405238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0040524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00405261

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a56e03805ee9d3ef66525f8dcb7c350bddc278c9c6b6bc013d12355f5fff2e47
Instruction ID: 281be4146405ac23a2565d31a1f99ea6db16d13fc9dba3fd5f16512ca5373b9e
Opcode Fuzzy Hash: a56e03805ee9d3ef66525f8dcb7c350bddc278c9c6b6bc013d12355f5fff2e47
Instruction Fuzzy Hash: CB014F75A00718BBEB109BB59C89A5FBFB8EF48751F044076FA04FB291D6709801CFA4

Function 003A1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003A1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 003A1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003A1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003A1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 003A1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 003A1C22

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fb5fa47fd3f1c240c941509ee4745580c12e341943449d0e6e833e29cb54fda1
Instruction ID: 258ab8f8d418c075327f3554b6419e0cb46bdbcc018295849bf645e8f81410bd
Opcode Fuzzy Hash: fb5fa47fd3f1c240c941509ee4745580c12e341943449d0e6e833e29cb54fda1
Instruction Fuzzy Hash: EF0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 0040EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0040EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0040EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0040EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0040EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0040EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0040EB75

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e6fdabc6df7100a99c6af7ca35db75005e359a4fdd0acd3627918e7c2a44a30c
Instruction ID: e8497a623a8bfa1725d9be241b783b4ef407534c1a15684f2bb5677c71635bfe
Opcode Fuzzy Hash: e6fdabc6df7100a99c6af7ca35db75005e359a4fdd0acd3627918e7c2a44a30c
Instruction Fuzzy Hash: 03F03072140158BBE72157629C4EEEF3A7CEFCAB11F005169F601E1191D7A05A01DBB9

Function 003F7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 003F7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 003F7469
GetWindowDC.USER32(?), ref: 003F7475
GetPixel.GDI32(00000000,?,?), ref: 003F7484
ReleaseDC.USER32(?,00000000), ref: 003F7496
GetSysColor.USER32(00000005), ref: 003F74B0

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f53e0d0479162b14efb9ca58ff813b0c105312b7dcac326f39308dfa8b8addd3
Instruction ID: 751aedabeb1e12e97b4e09ac981e11e2a86d8267a07ebba5e007bc7da7c8336d
Opcode Fuzzy Hash: f53e0d0479162b14efb9ca58ff813b0c105312b7dcac326f39308dfa8b8addd3
Instruction Fuzzy Hash: E0014B31400619FFEB515F64DC49BAA7BB5FB04311F611174FA25A21A1CB311E51AB54

Function 00401874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040187F
UnloadUserProfile.USERENV(?,?), ref: 0040188B
CloseHandle.KERNEL32(?), ref: 00401894
CloseHandle.KERNEL32(?), ref: 0040189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004018A5
HeapFree.KERNEL32(00000000), ref: 004018AC

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a735688888b463eb12860a209a138e1c5b0a97d34bda1c12ae6f5092a92794fb
Instruction ID: 7f9be66856812bead706162d9385f8b0fc05e28a479105ae9691098f9ac9f26a
Opcode Fuzzy Hash: a735688888b463eb12860a209a138e1c5b0a97d34bda1c12ae6f5092a92794fb
Instruction Fuzzy Hash: 0BE0E536004101BBEB016FA1ED8C90ABF39FF49B22B109230F625A1070CB329430EF58

Function 003ABBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003ABEB3

Strings

D%G, xrefs: 003ABCA2
D%G, xrefs: 003ABE9A
D%G, xrefs: 003ABDED, 003ABD91, 003ABD1B
D%GD%G, xrefs: 003ABCA5

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%G$D%G$D%G$D%GD%G
API String ID: 1385522511-4070170118
Opcode ID: a73b7eb9aa71444ffe41ee2920ad16313ba26c9bf0c1426a260dfdf0d258780b
Instruction ID: b66fecc450b114ea68b814916b5e962ee5afff2a80b1245567bbe9e30a4c7f1a
Opcode Fuzzy Hash: a73b7eb9aa71444ffe41ee2920ad16313ba26c9bf0c1426a260dfdf0d258780b
Instruction Fuzzy Hash: C1914975A0020ADFCB19CF98C090AAAF7F5FF5A310B25816ED945AB352D771AD81CB90

Function 00427B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 003C0242: EnterCriticalSection.KERNEL32(0047070C,00471884,?,?,003B198B,00472518,?,?,?,003A12F9,00000000), ref: 003C024D
Part of subcall function 003C0242: LeaveCriticalSection.KERNEL32(0047070C,?,003B198B,00472518,?,?,?,003A12F9,00000000), ref: 003C028A

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 003C00A3: __onexit.LIBCMT ref: 003C00A9

__Init_thread_footer.LIBCMT ref: 00427BFB

Part of subcall function 003C01F8: EnterCriticalSection.KERNEL32(0047070C,?,?,003B8747,00472514), ref: 003C0202
Part of subcall function 003C01F8: LeaveCriticalSection.KERNEL32(0047070C,?,003B8747,00472514), ref: 003C0235

Strings

5, xrefs: 00427C78
G, xrefs: 00427C7F
Variable must be of type 'Object'., xrefs: 00427C3A
+T?, xrefs: 00427E2E

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T?$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2299519154
Opcode ID: ba0de0637d9e7266b93a5ddc8c51af27af2b3b6c7c3cf7d2013f7771dd8d189f
Instruction ID: df45c5e28d9b83268eadba698bc8b6cfa0bf4024fab7fe9ab0563061713f0547
Opcode Fuzzy Hash: ba0de0637d9e7266b93a5ddc8c51af27af2b3b6c7c3cf7d2013f7771dd8d189f
Instruction Fuzzy Hash: B6918C70704219EFCB15EF55E8909AEB7B1FF45304F90805AF806AB392DB78AE41CB59

Function 0040C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7620: _wcslen.LIBCMT ref: 003A7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0040C6EE
_wcslen.LIBCMT ref: 0040C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0040C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0040C7CA

Strings

0, xrefs: 0040C6AF

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: bf44692ec749d001c7005b705c52273b09d2bdaceae4b146311af125b6924536
Instruction ID: 7648c2db41d8bd8ed04207a300ac29a8efa3c85a5196577a740adb5545502214
Opcode Fuzzy Hash: bf44692ec749d001c7005b705c52273b09d2bdaceae4b146311af125b6924536
Instruction Fuzzy Hash: 8051BD71604302DBD725AF28C8C5BAB77E8AB45314F040B3AF995E72E0DB78D9058B5A

Function 0042AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0042AEA3

Part of subcall function 003A7620: _wcslen.LIBCMT ref: 003A7625

GetProcessId.KERNEL32(00000000), ref: 0042AF38
CloseHandle.KERNEL32(00000000), ref: 0042AF67

Strings

<, xrefs: 0042AE6B
@, xrefs: 0042AE72

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 2007cffb3a853937e0a39309fb34ca53330d7a1739f552d2edcb0bf44ab7d040
Instruction ID: 418c70dd52d53664135dbec6c5d93de70ca99ad6d97a659ea2948e68ef4963c7
Opcode Fuzzy Hash: 2007cffb3a853937e0a39309fb34ca53330d7a1739f552d2edcb0bf44ab7d040
Instruction Fuzzy Hash: A7716671A00628DFCB15EF54D484A9EBBF0FF09310F05849AE816AB362CB78ED45CB95

Function 0040719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00407206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0040723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0040724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004072CF

Strings

DllGetClassObject, xrefs: 00407242

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ff18f4197ac7448a32b1c0900830704b6dc8b1e6314f36d99e5691193c187320
Instruction ID: d21e1138cc04a31bdee89ef8e2a8d4580ac2514743ed5ae8d356f4033e346558
Opcode Fuzzy Hash: ff18f4197ac7448a32b1c0900830704b6dc8b1e6314f36d99e5691193c187320
Instruction Fuzzy Hash: BD41A371A04204EFDB15CF54C884A9A7BA9EF44310F1580BEFD05AF28AD7B8ED45CBA5

Function 00433D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00433E35
IsMenu.USER32(?), ref: 00433E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00433E92
DrawMenuBar.USER32 ref: 00433EA5

Strings

0, xrefs: 00433D89

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: c9ef528ba36e12fc8402eb0e865d1938b38095ad6d6d39b7fd0dab5953c74b60
Instruction ID: c698198093fecd594b2961a7bcf23289706a3ce13b56a7c0868cb1519f448bc2
Opcode Fuzzy Hash: c9ef528ba36e12fc8402eb0e865d1938b38095ad6d6d39b7fd0dab5953c74b60
Instruction Fuzzy Hash: 714168B5A00209EFDB10DF54D885EAABBB9FF48361F04512AE905AB350D734EE41CF64

Function 00401DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 00403CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00403CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00401E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00401E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00401EA9

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

Strings

ListBox, xrefs: 00401E25
ComboBox, xrefs: 00401DF0

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 3a94ab057a2d0f0f7c8e138e291fbd66390902158f9c0887b5891787bb0c6d9d
Instruction ID: 28ff97fa23df4e6fbac4cef4a1b4b28d4c52720e467c45fa1c08949d259b2e3d
Opcode Fuzzy Hash: 3a94ab057a2d0f0f7c8e138e291fbd66390902158f9c0887b5891787bb0c6d9d
Instruction Fuzzy Hash: 76210571A00104BFDB15AB64DC86DFFB7B8EF46364F14412AF825BB2E1DB3C490A8664

Function 0042C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0042C9F1
_wcslen.LIBCMT ref: 0042CA68
_wcslen.LIBCMT ref: 0042CA9E
_wcslen.LIBCMT ref: 0042CAF9
_wcslen.LIBCMT ref: 0042CB2F
_wcslen.LIBCMT ref: 0042CB7F

Strings

HKLM, xrefs: 0042CA98, 0042CA9D
HKEY_LOCAL_MACHINE, xrefs: 0042CA62, 0042CA67

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 04c1bef0e4918f1fc800aa8028ca6d143d2dcbaa96bca7d2cc274d09c5f44da5
Instruction ID: 35707eba75f162fefe9cc0148ef2acfd9fb4a2d6e49a7c10e8b9c585325b2309
Opcode Fuzzy Hash: 04c1bef0e4918f1fc800aa8028ca6d143d2dcbaa96bca7d2cc274d09c5f44da5
Instruction Fuzzy Hash: EF31F732B001794ACB21DE2CE8D07BF33919BA1794B95402BE845AB344FA79CE40D3A9

Function 00432F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00432F8D
LoadLibraryW.KERNEL32(?), ref: 00432F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00432FA9
DestroyWindow.USER32(?), ref: 00432FB1

Strings

SysAnimate32, xrefs: 00432F68

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: caa6e1ea32d2a1624d9c307f8b1ecfb19d4e5501de424ff71c4eee2e9c9420fe
Instruction ID: 472721d549008af9f0e03b19612d36e61c0f9877d094e7b0e1d1928b67bf7b2c
Opcode Fuzzy Hash: caa6e1ea32d2a1624d9c307f8b1ecfb19d4e5501de424ff71c4eee2e9c9420fe
Instruction Fuzzy Hash: B021F071204205ABEB104F64DD81FBB37BDEF5D328F10222AF910D2290D3B5DC81A768

Function 003C4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,003C4D1E,003D28E9,?,003C4CBE,003D28E9,004688B8,0000000C,003C4E15,003D28E9,00000002), ref: 003C4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003C4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,003C4D1E,003D28E9,?,003C4CBE,003D28E9,004688B8,0000000C,003C4E15,003D28E9,00000002,00000000), ref: 003C4DC3

Strings

mscoree.dll, xrefs: 003C4D86
CorExitProcess, xrefs: 003C4D98

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8cee8969fd3960fa5cb93640f88dc608303a58e907ac6e3a9b08abaa7ad18af6
Instruction ID: 9cd319499b6ada56c3c8975b571837663361a179409cd0742521d314c60808ab
Opcode Fuzzy Hash: 8cee8969fd3960fa5cb93640f88dc608303a58e907ac6e3a9b08abaa7ad18af6
Instruction Fuzzy Hash: 9AF0AF35A00208BBDB11AF90DC89FADBBB4EF04712F0001A9F906E2260CB745E40DB99

Function 003A4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,003A4EDD,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003A4EAE
FreeLibrary.KERNEL32(00000000,?,?,003A4EDD,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 003A4EA8
kernel32.dll, xrefs: 003A4E94

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: e73dafa25cd29a64a6b6fa6cd272b6b4ec8dd840df16e056beda64331dc3b7b2
Instruction ID: 747a36ff63f3685916f0bcf7ff90a165e18af75c4e97edf40af1541a856bf647
Opcode Fuzzy Hash: e73dafa25cd29a64a6b6fa6cd272b6b4ec8dd840df16e056beda64331dc3b7b2
Instruction Fuzzy Hash: 67E08636A025229B96221B257C5CF5B6554EFC2B63B064126FC01F2104DBA4CD0156E9

Function 003A4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,003E3CDE,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003A4E74
FreeLibrary.KERNEL32(00000000,?,?,003E3CDE,?,00471418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 003A4E87

Strings

kernel32.dll, xrefs: 003A4E5B
Wow64RevertWow64FsRedirection, xrefs: 003A4E6E

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: f3600d4345033a2c28c7228ba23455564bc151051e463a1f7a8941f98703b1fb
Instruction ID: 6b1f6b9bffb8e9c98518f56070654ffb10cc1b9232d664950c1c081561bc741c
Opcode Fuzzy Hash: f3600d4345033a2c28c7228ba23455564bc151051e463a1f7a8941f98703b1fb
Instruction Fuzzy Hash: 35D0C236502621674A231B247C08E8B6A18EFC6B213060222B801F2114CFA4CD019AD8

Function 00412947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00412C05
DeleteFileW.KERNEL32(?), ref: 00412C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00412C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00412CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00412CC0

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: ec50c9fd3e4709fcd2f0330f27a599a157e55ad52ee156deb5343994f7f49705
Instruction ID: 0b1c25b32fa608f3c019d913427528f41ee7962ac3b0c0eca9817e10eb890c3f
Opcode Fuzzy Hash: ec50c9fd3e4709fcd2f0330f27a599a157e55ad52ee156deb5343994f7f49705
Instruction Fuzzy Hash: E6B16C72D00119ABDF11DFA4CD85EDEB7BDEF09344F0040AAF609E6141EA749E948FA5

Function 0042A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0042A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0042A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0042A468
CloseHandle.KERNEL32(?), ref: 0042A63D

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 6780f714d853413559a509e728cae78508146d40ce0346edfed02c2744bc659d
Instruction ID: 81ceabe21bd361cd2e8dd0c486332a4292884b2dc36b94965c188a90930325b1
Opcode Fuzzy Hash: 6780f714d853413559a509e728cae78508146d40ce0346edfed02c2744bc659d
Instruction Fuzzy Hash: 68A1AC71604300AFD721DF24D886F2AB7E5EF84714F54881DF99A9B392DBB4EC418B86

Function 0040E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0040CF22,?), ref: 0040DDFD

Part of subcall function 0040DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0040CF22,?), ref: 0040DE16

Part of subcall function 0040E199: GetFileAttributesW.KERNEL32(?,0040CF95), ref: 0040E19A

lstrcmpiW.KERNEL32(?,?), ref: 0040E473
MoveFileW.KERNEL32(?,?), ref: 0040E4AC
_wcslen.LIBCMT ref: 0040E5EB
_wcslen.LIBCMT ref: 0040E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0040E650

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: c9b7d695777a07d853de871a331393387f6564bca38266f12bb7343d06edea6c
Instruction ID: e4cb971366596cb769d9bc6a76d440bfe1a3ddfe10b777bdd867d9e97086ce46
Opcode Fuzzy Hash: c9b7d695777a07d853de871a331393387f6564bca38266f12bb7343d06edea6c
Instruction Fuzzy Hash: 3D5183B24083445BC725EB91DC81ADBB3DCAF85340F004D2FF589E7191EF79A688875A

Function 0042B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 0042C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0042B6AE,?,?), ref: 0042C9B5
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042C9F1
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA68
Part of subcall function 0042C998: _wcslen.LIBCMT ref: 0042CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0042BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0042BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0042BB63
RegCloseKey.ADVAPI32(?,?), ref: 0042BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0042BBB3

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 220cb65a6677a5d3ba1f6a0e7e152c15f42c01444dc0aa08556aa9258507c841
Instruction ID: 305245b4dd2f70208977a8da18c2facd29463fdc5b33ac3c2f9d3416323d4c65
Opcode Fuzzy Hash: 220cb65a6677a5d3ba1f6a0e7e152c15f42c01444dc0aa08556aa9258507c841
Instruction Fuzzy Hash: B361BF31208241AFC714DF14D890E2BBBE5FF85308F5485AEF4998B2A2CB35ED45CB92

Function 00408BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00408BCD
VariantClear.OLEAUT32 ref: 00408C3E
VariantClear.OLEAUT32 ref: 00408C9D
VariantClear.OLEAUT32(?), ref: 00408D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00408D3B

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 3e15332a9b462648897da73f62abd14d08caebbaa613ff2ee0f201058ebc8fe8
Instruction ID: fe06b7c4cfda68b2f682857abbf42deb438aa6a73e43ce88960baf26d9e4aae3
Opcode Fuzzy Hash: 3e15332a9b462648897da73f62abd14d08caebbaa613ff2ee0f201058ebc8fe8
Instruction Fuzzy Hash: 13518CB1A00219EFDB10CF28D884AAAB7F4FF89310B15856AE945EB350E734E911CF94

Function 00418AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00418BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00418BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00418C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00418C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00418C5F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 891511bb90f4c0dc5eee1463c6950635dd596d55846b76cfb4e3ec1633128f68
Instruction ID: 7835a78182179312c22d9afe9b3b7447eaa6e57443ff8eb45f4048f9a8d8aa18
Opcode Fuzzy Hash: 891511bb90f4c0dc5eee1463c6950635dd596d55846b76cfb4e3ec1633128f68
Instruction Fuzzy Hash: A7515A35A002149FCB05DF64C881AAEBBF5FF4A314F088099E849AB362DB35ED51CB90

Function 00428EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00428F40
GetProcAddress.KERNEL32(00000000,?), ref: 00428FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00428FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00429032
FreeLibrary.KERNEL32(00000000), ref: 00429052

Part of subcall function 003BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00411043,?,753CE610), ref: 003BF6E6
Part of subcall function 003BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,003FFA64,00000000,00000000,?,?,00411043,?,753CE610,?,003FFA64), ref: 003BF70D

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: a715c9771651d4a265818f71001340c92a604c7a06ce0d91052e288d24f19e5a
Instruction ID: e09467364697d0043062da04f647f4d563fd2d3e097792a8a466e9501d752d1b
Opcode Fuzzy Hash: a715c9771651d4a265818f71001340c92a604c7a06ce0d91052e288d24f19e5a
Instruction Fuzzy Hash: 67513934A01215DFCB01DF54C4949AEBBB1FF4A314F4980AAE805AF362DB35ED86CB95

Function 00436B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00436C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00436C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00436C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0041AB79,00000000,00000000), ref: 00436C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00436CC7

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: f7c2e19e137ef5ef08783c0f67b2ab4353e3813d43bf52b2b0e35df43797b085
Instruction ID: 077e092d8cbaad20bdc41b172a5faf9397e37f6379c99cad1bd02b167ec60df1
Opcode Fuzzy Hash: f7c2e19e137ef5ef08783c0f67b2ab4353e3813d43bf52b2b0e35df43797b085
Instruction Fuzzy Hash: 7B412A35600115BFDB24CF28CC95FA6BBA4EB0D350F16A22AF995A73E0C375ED41CA48

Function 003D2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003D20C3
_free.LIBCMT ref: 003D20E3

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 654de7fdb44e1b19cbcc9558401766c8de3c5ff83dd19deb5d891971552a1ebd
Instruction ID: d7012ff4a52aa039475352b30f022e4d78e8deddba0e9a2e6bf12eed135ce43f
Opcode Fuzzy Hash: 654de7fdb44e1b19cbcc9558401766c8de3c5ff83dd19deb5d891971552a1ebd
Instruction Fuzzy Hash: FA41B633A00200AFCB25DF78D881A6EB7B5EF99314F164569E615EB351D731ED01DB81

Function 003B912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003B9141
ScreenToClient.USER32(00000000,?), ref: 003B915E
GetAsyncKeyState.USER32(00000001), ref: 003B9183
GetAsyncKeyState.USER32(00000002), ref: 003B919D

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 79d748defc953b65519c13ce1f8cf8a56ba1d6f7aabbec8d66139d86ace9b0c6
Instruction ID: d63e536c30827bcccc13c8726ac9f3a981f446593977a20a022c5cfd2bb5458f
Opcode Fuzzy Hash: 79d748defc953b65519c13ce1f8cf8a56ba1d6f7aabbec8d66139d86ace9b0c6
Instruction Fuzzy Hash: 4041813190851AFBDF169F68C844BFEB774FF09324F21822AE625A72D0C7345954DB51

Function 00413874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00413922
TranslateMessage.USER32(?), ref: 0041394B
DispatchMessageW.USER32(?), ref: 00413955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00413966

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 6a6e0379cf37f8e44d7ff95f3ae1f337ce410a10273ee2d3797205bbcdc56118
Instruction ID: 3d3317a21b74246a3544b9e3b3598126ce1ba3a2496c46a5863eda081254dc01
Opcode Fuzzy Hash: 6a6e0379cf37f8e44d7ff95f3ae1f337ce410a10273ee2d3797205bbcdc56118
Instruction Fuzzy Hash: 563196F05143419EEB25DF349849BF73BE4AB05306F04057BD466962A0E3B8A6C5CB5A

Function 0041CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0041C21E,00000000), ref: 0041CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0041CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0041C21E,00000000), ref: 0041CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0041C21E,00000000), ref: 0041CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0041C21E,00000000), ref: 0041CFF2

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: ca5388941018a21b813ae73763828cc47bd9922211a79825c4658cc12df1ad8a
Instruction ID: edea85d1c3e507b7977fb7e8a68d33e329276b60b5e6d0bfea6ff290e7e8e45c
Opcode Fuzzy Hash: ca5388941018a21b813ae73763828cc47bd9922211a79825c4658cc12df1ad8a
Instruction Fuzzy Hash: B2314D71540205AFDB20DFA5CCC4AEBBBF9EB14354B10446EF516E2280D734ED829B68

Function 00401901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00401915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004019E2

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2baca359f894c31f9726949b0b8323c6f55b22dc8f180cc494cb1567a01565d4
Instruction ID: 4bf0ef98fc6630edd34a04762729d9b17b3e5092f0ffc5fce824265a8ffd2863
Opcode Fuzzy Hash: 2baca359f894c31f9726949b0b8323c6f55b22dc8f180cc494cb1567a01565d4
Instruction Fuzzy Hash: F831C0B1A00219EFCB00CFA8CD99ADE3BB5EB05315F10423AF921B72E1C7749954DB94

Function 00435706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00435745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0043579D
_wcslen.LIBCMT ref: 004357AF
_wcslen.LIBCMT ref: 004357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00435816

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 16876efb33c42645a6dc3ea63d2e49099687f24f805449752008e50c0c9fd03d
Instruction ID: 28008e590ced889464dca875d15d7ac2d8d9db88ec5f16b1d17a773433057b23
Opcode Fuzzy Hash: 16876efb33c42645a6dc3ea63d2e49099687f24f805449752008e50c0c9fd03d
Instruction Fuzzy Hash: 9021A5759046189ADB20DF64CC85BEE77B8FF18324F109217E929EA280D7748985CF55

Function 00420930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00420951
GetForegroundWindow.USER32 ref: 00420968
GetDC.USER32(00000000), ref: 004209A4
GetPixel.GDI32(00000000,?,00000003), ref: 004209B0
ReleaseDC.USER32(00000000,00000003), ref: 004209E8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 4735d60da03464345e1afeffd2525e617f09266f76e2b0277e23626319efebc2
Instruction ID: e6f9484d375769edbd9adb4916a77ac8e25a2fab829a01a1b6226768524bd975
Opcode Fuzzy Hash: 4735d60da03464345e1afeffd2525e617f09266f76e2b0277e23626319efebc2
Instruction Fuzzy Hash: 2A218E75A00214AFD704EF65D985AAEBBF9EF49700F14807DE84AA7762CB34AC44CB94

Function 003DCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 003DCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003DCDE9

Part of subcall function 003D3820: RtlAllocateHeap.NTDLL(00000000,?,00471444,?,003BFDF5,?,?,003AA976,00000010,00471440,003A13FC,?,003A13C6,?,003A1129), ref: 003D3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 003DCE0F
_free.LIBCMT ref: 003DCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003DCE31

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 9e362528522f8586cb07d31008f71e83c85402fe2af250b89603c774bc26ebd6
Instruction ID: 512d4f5e4a9b6f798e797aee948e28ed2ae9a137362d007f4b6f4c77f2b12b1f
Opcode Fuzzy Hash: 9e362528522f8586cb07d31008f71e83c85402fe2af250b89603c774bc26ebd6
Instruction Fuzzy Hash: 6101D8B36212167F672216BA7C88D7BBA6DDEC6BA2315112BFD05D7300DA608E01D2B4

Function 003B9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003B9693
SelectObject.GDI32(?,00000000), ref: 003B96A2
BeginPath.GDI32(?), ref: 003B96B9
SelectObject.GDI32(?,00000000), ref: 003B96E2

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 76da8bf315652731fdb49851e0e5429e36f18cb2f4cfb07cadb088d2f0a4d289
Instruction ID: a3db00e63e40faafa6005cbf4740330a1acdb4a0a87329469766494c5630653a
Opcode Fuzzy Hash: 76da8bf315652731fdb49851e0e5429e36f18cb2f4cfb07cadb088d2f0a4d289
Instruction Fuzzy Hash: 972171B1802309EFDB129F68DC557E97BB8BB10329F110227F714A65B0D3705892CF98

Function 00405711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00405726
_memcmp.LIBVCRUNTIME ref: 00405744
_memcmp.LIBVCRUNTIME ref: 00405757
_memcmp.LIBVCRUNTIME ref: 0040576F
_memcmp.LIBVCRUNTIME ref: 00405787

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 505a7ce9730d790c867ba0fa53c70f0d3c885d7f1b49117104fc4d6c17efe74a
Instruction ID: a772ff09f3da3df6f3b74946ba5f4f6672162f84e41266919aef21b95b97bae7
Opcode Fuzzy Hash: 505a7ce9730d790c867ba0fa53c70f0d3c885d7f1b49117104fc4d6c17efe74a
Instruction Fuzzy Hash: 3A01D6A5681605BAD70855109E42FBB634CEB25398F100036FD04AF682F638ED15A6A9

Function 003D2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,003CF2DE,003D3863,00471444,?,003BFDF5,?,?,003AA976,00000010,00471440,003A13FC,?,003A13C6), ref: 003D2DFD
_free.LIBCMT ref: 003D2E32
_free.LIBCMT ref: 003D2E59
SetLastError.KERNEL32(00000000,003A1129), ref: 003D2E66
SetLastError.KERNEL32(00000000,003A1129), ref: 003D2E6F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f29a5dfc2b6c31a9b76dd1899cb1db1a609df9d4e20dcbfc1320426de6d3b92f
Instruction ID: 63fe8efb206cce014a9979a6b267b156bab821caeafae1904e0d0effd9ab3fa8
Opcode Fuzzy Hash: f29a5dfc2b6c31a9b76dd1899cb1db1a609df9d4e20dcbfc1320426de6d3b92f
Instruction Fuzzy Hash: EA01F4336456006BC6132734BC85D6B275DABF23B2B26443BF825A7392EBB4CC154121

Function 0040000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?,?,0040035E), ref: 0040002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?), ref: 00400046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?), ref: 00400054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?), ref: 00400064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003FFF41,80070057,?,?), ref: 00400070

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1d1c373d45dfa4a8bfbf573a2b7271a66bb56fbd50457ebc5e06f4044ac66b7e
Instruction ID: 1e9ba822aa236b9818bcb5a6626a114c8d156bb6b524c6b35bd3bf75a1974100
Opcode Fuzzy Hash: 1d1c373d45dfa4a8bfbf573a2b7271a66bb56fbd50457ebc5e06f4044ac66b7e
Instruction Fuzzy Hash: 9C01A276600204BFDB105F68EC48FAA7AEDEF44752F245135F905F2250DB79DE408BA4

Function 0040E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0040E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0040E9A5
Sleep.KERNEL32(00000000), ref: 0040E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0040E9B7
Sleep.KERNEL32 ref: 0040E9F3

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 38c61114b4d5c06e6a5f7ded9a3b6373c68750818ea177dba82c7ceea4c78b8b
Instruction ID: 27b24c4345fdc41f1dcef9754af59b48704b13f36ae39aec3e23b69051d93407
Opcode Fuzzy Hash: 38c61114b4d5c06e6a5f7ded9a3b6373c68750818ea177dba82c7ceea4c78b8b
Instruction Fuzzy Hash: 4C015271C0162DDBCF009FE6DD996DEBB78FF09701F000966E502B2291CB389565DBAA

Function 004010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00401114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 00401120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 0040112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00400B9B,?,?,?), ref: 00401136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0040114D

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 49e8e7b4df3669508f838bae9518e49a4b7acdddb419439f43207ede3a81edde
Instruction ID: 08e415be5de0b21e0dfe012a65a2cd66f51d2fd3e1e11f4c439799fb8781c806
Opcode Fuzzy Hash: 49e8e7b4df3669508f838bae9518e49a4b7acdddb419439f43207ede3a81edde
Instruction Fuzzy Hash: D9011975200215BFDB155FA5DC89A6B3B6EEF893A0B204429FA45E73A0DB31DC009B64

Function 00400FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00400FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00400FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00400FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00400FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00401002

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2ba99b9b0c132d1098cb1c0033d5c6870b948b8b3689a527ede00494255fc215
Instruction ID: 31096d3e23ff7a29fd1a07b66e51378a2e6ad88b0d77f3fd4488fdffc72dce3f
Opcode Fuzzy Hash: 2ba99b9b0c132d1098cb1c0033d5c6870b948b8b3689a527ede00494255fc215
Instruction Fuzzy Hash: E7F06D35240301EBEB224FA4DC8DF5B3BADEF89762F104425FA85E72A1CA74DC508B64

Function 00401014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0040102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00401036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00401045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0040104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00401062

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 97e9d2fc559076cddddfaa24f0987800955446a523bdd4ab04bfa1760776b292
Instruction ID: d9599d2c819b07def7672eaf9488c96b8766bb41fb7932b48464ddb9047302b2
Opcode Fuzzy Hash: 97e9d2fc559076cddddfaa24f0987800955446a523bdd4ab04bfa1760776b292
Instruction Fuzzy Hash: 60F06D35240301EBEB215FA4EC89F5B3BADEF89761F100425FA85F72A0CA74D8508B64

Function 0041030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0041017D,?,004132FC,?,00000001,003E2592,?), ref: 00410324
CloseHandle.KERNEL32(?,?,?,?,0041017D,?,004132FC,?,00000001,003E2592,?), ref: 00410331
CloseHandle.KERNEL32(?,?,?,?,0041017D,?,004132FC,?,00000001,003E2592,?), ref: 0041033E
CloseHandle.KERNEL32(?,?,?,?,0041017D,?,004132FC,?,00000001,003E2592,?), ref: 0041034B
CloseHandle.KERNEL32(?,?,?,?,0041017D,?,004132FC,?,00000001,003E2592,?), ref: 00410358
CloseHandle.KERNEL32(?,?,?,?,0041017D,?,004132FC,?,00000001,003E2592,?), ref: 00410365

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fd79626b85aaf0d8e5385f70096a280725b6c0ca1c4b512d5f73ecf80db534d7
Instruction ID: b38640b3f918ee533f41c0fff424d9ba8ed5d47329abb38d9189be5542d28f41
Opcode Fuzzy Hash: fd79626b85aaf0d8e5385f70096a280725b6c0ca1c4b512d5f73ecf80db534d7
Instruction Fuzzy Hash: 5D01A272800B199FC730AF66D880453F7F5BF503153158A3FD5A652A31C3B5A995DF84

Function 003DD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003DD752

Part of subcall function 003D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000), ref: 003D29DE
Part of subcall function 003D29C8: GetLastError.KERNEL32(00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000,00000000), ref: 003D29F0

_free.LIBCMT ref: 003DD764
_free.LIBCMT ref: 003DD776
_free.LIBCMT ref: 003DD788
_free.LIBCMT ref: 003DD79A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 86f6f85e9cd5f9f206823724b9af13c90e816eb650cb5a729ff741039fe34dc0
Instruction ID: 857818c2426ec1c9f74e25b4c83def33af8cceb2f28b7dba127ea5fb84a72d22
Opcode Fuzzy Hash: 86f6f85e9cd5f9f206823724b9af13c90e816eb650cb5a729ff741039fe34dc0
Instruction Fuzzy Hash: D9F04F73540204AB8622FF64F9C1C2777DDBB45310B950857F098DB601D730FC808A65

Function 00405C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00405C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00405C6F
MessageBeep.USER32(00000000), ref: 00405C87
KillTimer.USER32(?,0000040A), ref: 00405CA3
EndDialog.USER32(?,00000001), ref: 00405CBD

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 637970d5c65c312db375eb2d6a6896a3b0761c64d320f28669a34388d30fd266
Instruction ID: c7cedf559bb32d530ce4a310f6d40499f7e8755aa3026da69104e02491b63036
Opcode Fuzzy Hash: 637970d5c65c312db375eb2d6a6896a3b0761c64d320f28669a34388d30fd266
Instruction Fuzzy Hash: 030144315047049BFB215B10DD8FFA777B8EB00705F04157AA552B10E1D7B859448F55

Function 003D22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003D22BE

Part of subcall function 003D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000), ref: 003D29DE
Part of subcall function 003D29C8: GetLastError.KERNEL32(00000000,?,003DD7D1,00000000,00000000,00000000,00000000,?,003DD7F8,00000000,00000007,00000000,?,003DDBF5,00000000,00000000), ref: 003D29F0

_free.LIBCMT ref: 003D22D0
_free.LIBCMT ref: 003D22E3
_free.LIBCMT ref: 003D22F4
_free.LIBCMT ref: 003D2305

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6db5a16e5922c9a4ae9bff2438440a94ccfa9df4877cb0a18cf5234e5fbac129
Instruction ID: d30f45ccf0f04bbfed907eb3296c917187868811ab0d2f32c48f3f2cc0ceb446
Opcode Fuzzy Hash: 6db5a16e5922c9a4ae9bff2438440a94ccfa9df4877cb0a18cf5234e5fbac129
Instruction Fuzzy Hash: 37F05472401110CB8623BF78BC5181A3B64F7297517010567F418D7372DB7104A1BFED

Function 003B95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003B95D4
StrokeAndFillPath.GDI32(?,?,003F71F7,00000000,?,?,?), ref: 003B95F0
SelectObject.GDI32(?,00000000), ref: 003B9603
DeleteObject.GDI32 ref: 003B9616
StrokePath.GDI32(?), ref: 003B9631

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1dd1517e04323d593bb63effd5ad51210d286939cf8986b30935abe6ecc9ded6
Instruction ID: d1bc68366b62a787df1974bbb82a3c05b9f5d39b6e70663e2ec751a3f3efe9a5
Opcode Fuzzy Hash: 1dd1517e04323d593bb63effd5ad51210d286939cf8986b30935abe6ecc9ded6
Instruction Fuzzy Hash: 1EF037B1006248EBDB265F69ED5CBA43F75AB01336F048235F729694F0C7348992DF28

Function 003D0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 003D10F9
__freea.LIBCMT ref: 003D1117

Part of subcall function 003D1537: _free.LIBCMT ref: 003D154F

Strings

am/pm, xrefs: 003D117A
a/p, xrefs: 003D11DE

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: cc57e26e50c93bab9797c694858bb0de31904fad00b34c5f66fd8c6a0adfab11
Instruction ID: 9f61ed5bb479147dc147330100b7f7e4e8386707ad02dd463001ae2587f61f19
Opcode Fuzzy Hash: cc57e26e50c93bab9797c694858bb0de31904fad00b34c5f66fd8c6a0adfab11
Instruction Fuzzy Hash: 70D1F27B900206EBDB2B9F68E845BFAB7B5EF05700F29011BE9019BB51D3759D80CB91

Function 004261D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 003C0242: EnterCriticalSection.KERNEL32(0047070C,00471884,?,?,003B198B,00472518,?,?,?,003A12F9,00000000), ref: 003C024D
Part of subcall function 003C0242: LeaveCriticalSection.KERNEL32(0047070C,?,003B198B,00472518,?,?,?,003A12F9,00000000), ref: 003C028A

Part of subcall function 003C00A3: __onexit.LIBCMT ref: 003C00A9

__Init_thread_footer.LIBCMT ref: 00426238

Part of subcall function 003C01F8: EnterCriticalSection.KERNEL32(0047070C,?,?,003B8747,00472514), ref: 003C0202
Part of subcall function 003C01F8: LeaveCriticalSection.KERNEL32(0047070C,?,003B8747,00472514), ref: 003C0235

Part of subcall function 0041359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004135E4
Part of subcall function 0041359C: LoadStringW.USER32(00472390,?,00000FFF,?), ref: 0041360A

Strings

x#G, xrefs: 0042633A
x#G, xrefs: 00426353
x#G, xrefs: 0042636F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#G$x#G$x#G
API String ID: 1072379062-3675027381
Opcode ID: 5a74bc3dbce68a74fd09b231ba769c87a9af1316c2a27829ba20af6778e6c2cd
Instruction ID: 9973d1ab0c99f659fb18e0cafbc8bbf7319540fb13ae1d7863d0ef641c6097d2
Opcode Fuzzy Hash: 5a74bc3dbce68a74fd09b231ba769c87a9af1316c2a27829ba20af6778e6c2cd
Instruction Fuzzy Hash: 4BC1BD31A00115AFCB15EF58D890EBEB7B9EF48300F51806AF945AB391DB74ED85CBA4

Function 003D5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO:, xrefs: 003D5BA8, 003D5C6C

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: JO:
API String ID: 0-866212732
Opcode ID: 34f1c6fb84d80fe756ea1c0ca61dc43f39ea854fa58baccd04a02fb7262c4636
Instruction ID: d385854b3a35754f0f163c2ff959f07b397d9183067911dec423dc70fdfdc5b4
Opcode Fuzzy Hash: 34f1c6fb84d80fe756ea1c0ca61dc43f39ea854fa58baccd04a02fb7262c4636
Instruction Fuzzy Hash: F951BF76D10609AFDB239FA8E845FAEBFB8AF05310F15005BF405AB392D7719A01DB61

Function 003D8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 003D8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 003D8B7A
__dosmaperr.LIBCMT ref: 003D8B81

Strings

.<, xrefs: 003D8A63

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .<
API String ID: 2434981716-2261328457
Opcode ID: 2eeca1a4351e64ccb027b78bdda6c7ad5adc1744d735e7b83c2c430275f3e456
Instruction ID: b0fd8e7a7c2e808abae4a83a27c2e164fcdc1a551e9590a59fd8c86cc263ce54
Opcode Fuzzy Hash: 2eeca1a4351e64ccb027b78bdda6c7ad5adc1744d735e7b83c2c430275f3e456
Instruction Fuzzy Hash: C941A172604085AFDB279F28EC80A7D7FA5DF45304F2945ABF8848B742DE31EC029794

Function 00402716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004021D0,?,?,00000034,00000800,?,00000034), ref: 0040B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00402760

Part of subcall function 0040B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0040B3F8

Part of subcall function 0040B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0040B355
Part of subcall function 0040B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00402194,00000034,?,?,00001004,00000000,00000000), ref: 0040B365
Part of subcall function 0040B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00402194,00000034,?,?,00001004,00000000,00000000), ref: 0040B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0040281A

Strings

@, xrefs: 00402832

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: db7a8893fc2ddb1d000f3e338f51974289954595fce413c041129c90e028cd43
Instruction ID: 3d95bddae58544b07f2c8cb1591b6e77adedca732274a482619839ca23d9889f
Opcode Fuzzy Hash: db7a8893fc2ddb1d000f3e338f51974289954595fce413c041129c90e028cd43
Instruction Fuzzy Hash: 69414F76900218BFDB11DFA4CD85ADEBBB8EF05304F10406AFA55B7181DB746E45CBA4

Function 003D172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 003D1769
_free.LIBCMT ref: 003D1834
_free.LIBCMT ref: 003D183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 003D1760, 003D1767, 003D1796, 003D17CE

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1957095476
Opcode ID: 2c29c1c127f1daa5d6b6028bb7af1bf74875d84a1eb831b8984a2bc75bfb240d
Instruction ID: 64e40c154d896cded5b949922ca3d2113259594d4d0c2d5f023c7d239057e2e9
Opcode Fuzzy Hash: 2c29c1c127f1daa5d6b6028bb7af1bf74875d84a1eb831b8984a2bc75bfb240d
Instruction Fuzzy Hash: 66315076A00258BFDB22DB99E885D9EBBFCEB95310B1541A7F404EB321D7708E40DB94

Function 0040C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0040C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0040C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00471990,00F65558), ref: 0040C395

Strings

0, xrefs: 0040C2DF

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 2484f0db742b1297998977a05d638ebb3199d688435b66d156d5cf7cb86dcce2
Instruction ID: eac54e6b093edf00d88d1245ffe5123c62fc13471ffaca46d45162ebeb146f12
Opcode Fuzzy Hash: 2484f0db742b1297998977a05d638ebb3199d688435b66d156d5cf7cb86dcce2
Instruction Fuzzy Hash: F0416D31214301DFD720DF25D8C4B5ABBE4AF85314F14872EEDA5A72D1D734A904CB6A

Function 00434416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0043CC08,00000000,?,?,?,?), ref: 004344AA
GetWindowLongW.USER32 ref: 004344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004344D7

Strings

SysTreeView32, xrefs: 0043447C

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e00038cd2db598cc1336515e10b39af236e67ae5eebee9ffd309acc088e90ab3
Instruction ID: 38408f0ddb05e261ba18f82606b11440cdef62e450c0f263c3cec7d5c5cf94fa
Opcode Fuzzy Hash: e00038cd2db598cc1336515e10b39af236e67ae5eebee9ffd309acc088e90ab3
Instruction Fuzzy Hash: E731B032200605AFDF219E38DC45BDB77A9EB48334F205326F975A22D0D778EC509B54

Function 00406E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00406EED
VariantCopyInd.OLEAUT32(?,?), ref: 00406F08
VariantClear.OLEAUT32(?), ref: 00406F12

Strings

*j@, xrefs: 00406E8B, 00406E90, 00406EF8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j@
API String ID: 2173805711-592828569
Opcode ID: 67d0e5befbb342693eb018a7b4905ab2d4b362f908e4db7335778f97dac76398
Instruction ID: 57a3cd54a581213b80657da1c46a781969d5900135055f7dbf6f9110e7e6292a
Opcode Fuzzy Hash: 67d0e5befbb342693eb018a7b4905ab2d4b362f908e4db7335778f97dac76398
Instruction Fuzzy Hash: CA318F71704246DFCB05AFA4E8909BE7776EF46700B1104AAF9075F2A2C7389922DB99

Function 0042304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0042335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00423077,?,?), ref: 00423378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0042307A
_wcslen.LIBCMT ref: 0042309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00423106

Strings

255.255.255.255, xrefs: 00423095, 0042309A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: fa4280667aaa7c2dccdc11c7f8f643b888efca78c539ab9373eeec0cc850e51c
Instruction ID: d0f8dd3dacc87448a0e33281c6539c23edad25fd8d64583a5d691be7903e90e1
Opcode Fuzzy Hash: fa4280667aaa7c2dccdc11c7f8f643b888efca78c539ab9373eeec0cc850e51c
Instruction Fuzzy Hash: F931CF353002219FCB10CF68D486EAA77B0EF14319FA4809AE8158B392DB7AEE41C775

Function 00433EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00433F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00433F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00433F78

Strings

SysMonthCal32, xrefs: 00433F0B

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: a595010d21eaedbb2f50442acf72e6eb5ce814483c10d2a629e9cef851d50354
Instruction ID: a292c663eaa49315c27824b176ecbd8a3a65858cabdeebba65b3438763083f3f
Opcode Fuzzy Hash: a595010d21eaedbb2f50442acf72e6eb5ce814483c10d2a629e9cef851d50354
Instruction Fuzzy Hash: B321BF32600219BBDF219F50CC86FEB3B75EF48718F111219FA157B1D0D6B5A8908B94

Function 00434653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00434705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00434713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0043471A

Strings

msctls_updown32, xrefs: 00434684

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 14957d6a6d0511245875dffc7935243b6fcf05050431d36632350294efc588a3
Instruction ID: a457160b138ead54d63df264e8ccda69042c0a9a91fa8a201d3f9013de4a3ae2
Opcode Fuzzy Hash: 14957d6a6d0511245875dffc7935243b6fcf05050431d36632350294efc588a3
Instruction Fuzzy Hash: 6E215EB5600208AFEB11DF68DCC1DA737ADEB8A394B14105AFA049B3A1CB74FC51CB64

Function 004095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040961D

Strings

#requireadmin, xrefs: 004095D9
#OnAutoItStartRegister, xrefs: 004095F3
#notrayicon, xrefs: 004095B7

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 06cc1e75fc19ed27fa6c9e55ffc4957716aff063ee78dc84b76d7e90302f8bc3
Instruction ID: cb30ab0e4d1ebc40a6c38cd2481147f2a236796052290fcf24c47c8f633068f0
Opcode Fuzzy Hash: 06cc1e75fc19ed27fa6c9e55ffc4957716aff063ee78dc84b76d7e90302f8bc3
Instruction Fuzzy Hash: 1321F67220451166D332BB259C02FB7B3D89F65310F14443BF949AB2C2EB7AAE46D399

Function 004337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00433840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00433850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00433876

Strings

Listbox, xrefs: 0043380F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 73a99ec73098da9da7e7d87a9ae287eff689d70778504c850e283ac3a80b5be0
Instruction ID: 034cbbe33cd2fb0362147dc32d0918c8c897f08cc061db767a3e93218d697ce8
Opcode Fuzzy Hash: 73a99ec73098da9da7e7d87a9ae287eff689d70778504c850e283ac3a80b5be0
Instruction Fuzzy Hash: 4321FF72600218BBEF219F54CC81FBB37AEEF89760F109125F9049B290C775DC528BA4

Function 004149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00414A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00414A5C
SetErrorMode.KERNEL32(00000000,?,?,0043CC08), ref: 00414AD0

Strings

%lu, xrefs: 00414A6F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: ff31591ca0efc1eab07189836502e572f2ae6fde8c0f61dfe70d48498effca56
Instruction ID: d54369ab4ccf484624a9573caca82fa59e71af3fc68efddb620d1524d7abad5d
Opcode Fuzzy Hash: ff31591ca0efc1eab07189836502e572f2ae6fde8c0f61dfe70d48498effca56
Instruction Fuzzy Hash: 6E31AE74A00108AFCB10DF54C880EAA7BF8EF49318F1480A9F908EF252D735EE45CB61

Function 004341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0043424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00434264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00434271

Strings

msctls_trackbar32, xrefs: 00434226

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 96360a206f8b7a805cbe20aa776df66d66f7c941b72c09eabfe920d1d556f624
Instruction ID: de01a3391ca3e89dc795cc8290a5723016f3f0cd15811befdeeba3b00a3e3bf7
Opcode Fuzzy Hash: 96360a206f8b7a805cbe20aa776df66d66f7c941b72c09eabfe920d1d556f624
Instruction Fuzzy Hash: 1811E7312402087EEF205E29CC06FEB3BACEF89764F111125FA55E61A0D275E8519714

Function 00402F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

Part of subcall function 00402DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00402DC5
Part of subcall function 00402DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00402DD6
Part of subcall function 00402DA7: GetCurrentThreadId.KERNEL32 ref: 00402DDD
Part of subcall function 00402DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00402DE4

GetFocus.USER32 ref: 00402F78

Part of subcall function 00402DEE: GetParent.USER32(00000000), ref: 00402DF9

GetClassNameW.USER32(?,?,00000100), ref: 00402FC3
EnumChildWindows.USER32(?,0040303B), ref: 00402FEB

Strings

%s%d, xrefs: 00402FFF

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: a663f6e22f07c1a40fc32da86ee7fd7a69a40e82e255d1859aeea46856cda14f
Instruction ID: 051ed9a11ca36842323420c59d8894e4e497d036f644114713f59430eb977ffb
Opcode Fuzzy Hash: a663f6e22f07c1a40fc32da86ee7fd7a69a40e82e255d1859aeea46856cda14f
Instruction Fuzzy Hash: 5A11D5716002056BCF01BF618DD6EEE776AAF84304F04507AB909AB2D2DE7899058B74

Function 00435882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004358EE
DrawMenuBar.USER32(?), ref: 004358FD

Strings

0, xrefs: 0043588F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 8469521c51b33df132d02b740604beb07e0508a26894e9d46d5040dc9f0d680c
Instruction ID: 528654e80b56b632a4a50569f3c51716a82e09dba0866b1afe2111a02fa34e5f
Opcode Fuzzy Hash: 8469521c51b33df132d02b740604beb07e0508a26894e9d46d5040dc9f0d680c
Instruction Fuzzy Hash: F1016D71500218EFDB219F11DC44BEFBBB5FF49360F1090AAE949DA251DB348A94DF25

Function 003FD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 003FD3BF
FreeLibrary.KERNEL32 ref: 003FD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 003FD3B9
X64, xrefs: 003FD2A8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 0933daa0e2b137e9c747ec96d262b7b0d0c27eb8916aebe557cd7dd828b3371b
Instruction ID: f1ab20437f55e386c29cec7b54edbad613bdc2e2ec9ef371f0317ef5db564b9f
Opcode Fuzzy Hash: 0933daa0e2b137e9c747ec96d262b7b0d0c27eb8916aebe557cd7dd828b3371b
Instruction Fuzzy Hash: 27F0EC29505625ABEB3352104C9C9B93319AF10701F55D557EB03F1518D764CD446BDB

Function 0040007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace138a905c09a147da653d3c2438bd23279e6b021e7f6c9e89604d28c6eaead
Instruction ID: 3aba144dd38b621e48a62a3fee0d918e28600032c9f7eff269d104232f9f22c5
Opcode Fuzzy Hash: ace138a905c09a147da653d3c2438bd23279e6b021e7f6c9e89604d28c6eaead
Instruction Fuzzy Hash: 59C13A75A0020AAFDB15CFA4C894FAEB7B5FF48304F1085A9E905EB291D735DE41CB94

Function 0042342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00423459
CoUninitialize.OLE32 ref: 00423463
VariantInit.OLEAUT32(?), ref: 0042346E
VariantClear.OLEAUT32(?), ref: 0042371B

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: fd1fcb0a55dfd547110911e2d951fea673c3977dc59e5d9ae5244024e0b09a4a
Instruction ID: de42750af8bfe810d63bc3d5d31522f3a110b4db6243050a3887c1fdda1d14e8
Opcode Fuzzy Hash: fd1fcb0a55dfd547110911e2d951fea673c3977dc59e5d9ae5244024e0b09a4a
Instruction Fuzzy Hash: AFA16B757042109FC711EF24C885A2AB7E5FF89714F04885EF98A9B362DB38ED01CB96

Function 00400436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0043FC08,?), ref: 004005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0043FC08,?), ref: 00400608
CLSIDFromProgID.OLE32(?,?,00000000,0043CC40,000000FF,?,00000000,00000800,00000000,?,0043FC08,?), ref: 0040062D
_memcmp.LIBVCRUNTIME ref: 0040064E

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a8dc4cf112d6c9620ac10d9f8b04bc87d7814499a086a406a2bf08aaab67a3a2
Instruction ID: 45b90aa33db4105d0536175da45e5289226bbcc1e9dbd6340c0bdb3e934bc445
Opcode Fuzzy Hash: a8dc4cf112d6c9620ac10d9f8b04bc87d7814499a086a406a2bf08aaab67a3a2
Instruction Fuzzy Hash: 1C813B71A00109EFCB04DF94C984EEEB7B9FF89315F204569E506BB290DB75AE06CB64

Function 0042A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0042A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0042A6BA

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0042A79C
CloseHandle.KERNEL32(00000000), ref: 0042A7AB

Part of subcall function 003BCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,003E3303,?), ref: 003BCE8A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 12d7300a27384cf3c78ebaceb78e7634c18fad0d472ee697662b5adf48f6465b
Instruction ID: f4a011c22227820eae318725953e2f5f24c6b5233015a5754a579927e4d234a5
Opcode Fuzzy Hash: 12d7300a27384cf3c78ebaceb78e7634c18fad0d472ee697662b5adf48f6465b
Instruction Fuzzy Hash: 535180715083109FD711EF24D886A6BBBE8FF89754F40892EF9859B251EB34D904CB92

Function 003E1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003E14C0

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7d9b623d51efe349a8f0395dfa7696427ff88b3ce03defaecc833eb57a112d43
Instruction ID: 7554340c7ea92042bec2ca5ed287473ff9276e5a4db955307d647bfc9a3cc8f8
Opcode Fuzzy Hash: 7d9b623d51efe349a8f0395dfa7696427ff88b3ce03defaecc833eb57a112d43
Instruction Fuzzy Hash: 14416F36600560ABDB236BBB9C45FBE3AB5EF42330F15072AF418DA3D2E6344C419B61

Function 00436278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004362E2
ScreenToClient.USER32(?,?), ref: 00436315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00436382

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: f9daf2c6629658800dcff08342d368c8886b2336a36ae3b4d88d163be4887f13
Instruction ID: 902652e7a1f15771b6c9b938a9f0d7a9ce2db4b962f79e0ac1a2b99ec70b46bd
Opcode Fuzzy Hash: f9daf2c6629658800dcff08342d368c8886b2336a36ae3b4d88d163be4887f13
Instruction Fuzzy Hash: DC514A75A0020AAFCB10DF68D8809AF7BB5EB49360F11916AF9159B3A0D734ED81CB54

Function 00421AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00421AFD
WSAGetLastError.WSOCK32 ref: 00421B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00421B8A
WSAGetLastError.WSOCK32 ref: 00421B94

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: e518cb07c4eb416d64891ea12df182b2c19f3efe37c56a58640245c9e62bebbf
Instruction ID: 368dc9651a5a719b1e10fb8296dcf622ddc8c0fd74c8bc70eabbf7ebe7f4ebcc
Opcode Fuzzy Hash: e518cb07c4eb416d64891ea12df182b2c19f3efe37c56a58640245c9e62bebbf
Instruction Fuzzy Hash: 9441DF34700200AFE721AF20D886F2A7BE5EF45718F548458FA1A9F7D2D776ED428B90

Function 003DB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cb663e8f1e85f17d87d52c112f859f645f764a7de49a3654a0f11d5d4843b9
Instruction ID: 17284c73aed1503a472ece69ade16ca387d0f97a003902f742cb9d4383f50abf
Opcode Fuzzy Hash: f8cb663e8f1e85f17d87d52c112f859f645f764a7de49a3654a0f11d5d4843b9
Instruction Fuzzy Hash: D941D1B6A00254EFD726DF39D841BAABBB9EB88710F11862FF141DB782D77199018790

Function 004156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00415783
GetLastError.KERNEL32(?,00000000), ref: 004157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004157FA

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a1a833cf74dadbb865bb9faa6711af61a600718b94a47eb353d5ab2d7385a3b1
Instruction ID: 8c2bd466d7cfcdceae4041c5cd5fd1a442f49da1d61a4d9adf039f9b9278b603
Opcode Fuzzy Hash: a1a833cf74dadbb865bb9faa6711af61a600718b94a47eb353d5ab2d7385a3b1
Instruction Fuzzy Hash: 4F412D39600610DFCB11EF15C485A5EBBE2EF8A720F188499E84A6F362CB34FD40CB95

Function 003DD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,003C6D71,00000000,00000000,003C82D9,?,003C82D9,?,00000001,003C6D71,?,00000001,003C82D9,003C82D9), ref: 003DD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003DD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 003DD9AB
__freea.LIBCMT ref: 003DD9B4

Part of subcall function 003D3820: RtlAllocateHeap.NTDLL(00000000,?,00471444,?,003BFDF5,?,?,003AA976,00000010,00471440,003A13FC,?,003A13C6,?,003A1129), ref: 003D3852

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 23e61d9643612d442769dfa7e182e4aba4bf3c853f3d0d1fb2d388f437d29555
Instruction ID: 1404218adcf8aaca62fb26b5f7890e4286a49f99a06ca6787154d1ae870b8ae4
Opcode Fuzzy Hash: 23e61d9643612d442769dfa7e182e4aba4bf3c853f3d0d1fb2d388f437d29555
Instruction Fuzzy Hash: AB31C172A0021AABDF26DF65EC91EAF7BA5EB41310F064169FC04DB250EB36DD50DB90

Function 004352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00435352
GetWindowLongW.USER32(?,000000F0), ref: 00435375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00435382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004353A8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 25bcaa0884f77a8d7b22ed596893c39251dfdf43387e4074c693f2d7c14ecbb1
Instruction ID: ac75f4e461b770f3fef7b28f4d1e0ae825061c37eb74e1b0f95e77cfae728f71
Opcode Fuzzy Hash: 25bcaa0884f77a8d7b22ed596893c39251dfdf43387e4074c693f2d7c14ecbb1
Instruction Fuzzy Hash: DA31C434A55A08EFEB309E14CC46BEA3765EB0C390F586113FE10962E1C7B89981DB4A

Function 0040AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0040ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0040AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0040AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0040ACC6

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 04e6a174ad3e3198acc2e86f8dfaa9c20e00630a3277cffb1919f56de5e70b65
Instruction ID: 733475d4f6f5c3ab620da0a6f0c5847a7214828d900abb74fd72f4fa65941b61
Opcode Fuzzy Hash: 04e6a174ad3e3198acc2e86f8dfaa9c20e00630a3277cffb1919f56de5e70b65
Instruction Fuzzy Hash: 50311830A087186FFB35CB658C09BFF7AA5AB45314F05423BE485762D1C37C89A1879A

Function 00437674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0043769A
GetWindowRect.USER32(?,?), ref: 00437710
PtInRect.USER32(?,?,00438B89), ref: 00437720
MessageBeep.USER32(00000000), ref: 0043778C

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f9175009ad601448f88512d08a9965702b27b7adb80a57a058dcb3aa267cd687
Instruction ID: 415f64560b22bb72d1f2e3a49accd8b26bbe4f7830afd44d1eeb5ebe8d54501b
Opcode Fuzzy Hash: f9175009ad601448f88512d08a9965702b27b7adb80a57a058dcb3aa267cd687
Instruction Fuzzy Hash: 6441ADB4605214EFCB21CF58C895EA977F4FB4D314F1850AAE5949B361C338B942CF98

Function 004316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004316EB

Part of subcall function 00403A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00403A57
Part of subcall function 00403A3D: GetCurrentThreadId.KERNEL32 ref: 00403A5E
Part of subcall function 00403A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004025B3), ref: 00403A65

GetCaretPos.USER32(?), ref: 004316FF
ClientToScreen.USER32(00000000,?), ref: 0043174C
GetForegroundWindow.USER32 ref: 00431752

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 01f95a3f02750a7e200dc2e6c1eee67953e503ac32a8ff1c18b300beba3bf4f1
Instruction ID: c3d3446b146f77a49e3321896dfbba2b38746ca705493e718b872da61ee1a94e
Opcode Fuzzy Hash: 01f95a3f02750a7e200dc2e6c1eee67953e503ac32a8ff1c18b300beba3bf4f1
Instruction Fuzzy Hash: DD315275E00149AFC701DFAAC8C1CAEBBFDEF49304B54806AE415E7251D7359E45CBA4

Function 00438FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

GetCursorPos.USER32(?), ref: 00439001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,003F7711,?,?,?,?,?), ref: 00439016
GetCursorPos.USER32(?), ref: 0043905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,003F7711,?,?,?), ref: 00439094

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: bd48690c81b7cfbfa7717e7332b9f9ca44f84293b3247918d59a82abf2761c15
Instruction ID: 68bfa30bb0f87b8215e81454141254cfa40cb7062c11edf6174921973dd5e538
Opcode Fuzzy Hash: bd48690c81b7cfbfa7717e7332b9f9ca44f84293b3247918d59a82abf2761c15
Instruction Fuzzy Hash: C321BF35600118FFCB298F98C898EEB3BB9EB89350F004066FA055B261C3759D91DB64

Function 0040D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0043CB68), ref: 0040D2FB
GetLastError.KERNEL32 ref: 0040D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0040D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0043CB68), ref: 0040D376

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c2940d2140838db88dda25c3d2adb85d3d318a47eb9893a6916ea9ec27f009a0
Instruction ID: 1631108fb6080d57d7b6bfcd134ae32c55db7b81b4c25c036f8e0cd466b45e4e
Opcode Fuzzy Hash: c2940d2140838db88dda25c3d2adb85d3d318a47eb9893a6916ea9ec27f009a0
Instruction Fuzzy Hash: 772191709043019FC700DF68C88146BB7E8EE5A364F104A6EF899E72E1D735D94ACB9B

Function 00401571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0040102A
Part of subcall function 00401014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00401036
Part of subcall function 00401014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00401045
Part of subcall function 00401014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0040104C
Part of subcall function 00401014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00401062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004015BE
_memcmp.LIBVCRUNTIME ref: 004015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401617
HeapFree.KERNEL32(00000000), ref: 0040161E

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: ce5bf0212b58da367618b70df75e90b641cecb27e90a99967613e395659c6e8a
Instruction ID: b3070ed714e4afb7c5504c49b7370947f6363d0daa8d87ff7df5039dafa5d28d
Opcode Fuzzy Hash: ce5bf0212b58da367618b70df75e90b641cecb27e90a99967613e395659c6e8a
Instruction Fuzzy Hash: 4C216B31E40108AFDF14DFA4C945BEEB7B8EF84344F08486AE441BB291D735AA45DB94

Function 00432782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0043280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00432824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00432832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00432840

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 841d83d1f863fbe4e67435a6db163ed55acfce1d2c865cb8bad3998add42b8ef
Instruction ID: 5099788721b3fd45cd8a8f18f1b478db0fb59028214bec4eb37f0ecf30d5701e
Opcode Fuzzy Hash: 841d83d1f863fbe4e67435a6db163ed55acfce1d2c865cb8bad3998add42b8ef
Instruction Fuzzy Hash: 7C210331204520BFD714AF24C984FAABB95FF4A324F149259F4268B2E2C7B9FC42C794

Function 004078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00408D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0040790A,?,000000FF,?,00408754,00000000,?,0000001C,?,?), ref: 00408D8C
Part of subcall function 00408D7D: lstrcpyW.KERNEL32(00000000,?,?,0040790A,?,000000FF,?,00408754,00000000,?,0000001C,?,?,00000000), ref: 00408DB2
Part of subcall function 00408D7D: lstrcmpiW.KERNEL32(00000000,?,0040790A,?,000000FF,?,00408754,00000000,?,0000001C,?,?), ref: 00408DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00408754,00000000,?,0000001C,?,?,00000000), ref: 00407923
lstrcpyW.KERNEL32(00000000,?,?,00408754,00000000,?,0000001C,?,?,00000000), ref: 00407949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00408754,00000000,?,0000001C,?,?,00000000), ref: 00407984

Strings

cdecl, xrefs: 0040797B

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 385a0f9342c4380717e5b3e02f27cd38b2ee4edd1b8da75a16970c3d256f308b
Instruction ID: d54639a9b08e2e92f44dedf5466f4d604f9d05ab23317306f025cff0f1bac103
Opcode Fuzzy Hash: 385a0f9342c4380717e5b3e02f27cd38b2ee4edd1b8da75a16970c3d256f308b
Instruction Fuzzy Hash: 3011E47A200201ABDB159F35C845D7B77A5EF45350B10403BE942DB3A4EB359811D7AA

Function 00437CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00437D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00437D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00437D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0041B7AD,00000000), ref: 00437D6B

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c66aa183e6e4270818ee72e903e1177912946a3e675ef6cb89f9d6592aa069c6
Instruction ID: af3cfaec7d6da05a95f2a008e310e0f8a1edee8fa6fbee0138a27805aa0ff0eb
Opcode Fuzzy Hash: c66aa183e6e4270818ee72e903e1177912946a3e675ef6cb89f9d6592aa069c6
Instruction Fuzzy Hash: 3711D2B1104664AFCB209F28CC04EA63BA4AF49360F11A325F979D72F0D7348951DB48

Function 00435660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004356BB
_wcslen.LIBCMT ref: 004356CD
_wcslen.LIBCMT ref: 004356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00435816

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: ce7dd6f647ea3c56b1cd49f14f96c263749b43200730efa23321e96a80b38cb9
Instruction ID: 1f7b00818dada337baeb9c58b21a2ece3716b4a69a28a797f3b068cd00d03531
Opcode Fuzzy Hash: ce7dd6f647ea3c56b1cd49f14f96c263749b43200730efa23321e96a80b38cb9
Instruction Fuzzy Hash: 7711037160061896DB20EF65CC82BEF37BCEF19760F10502BF919D6181EB78CA84CB69

Function 003D1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3217bb3d7be7ab69552e1efdbc440c64ec0c43496c00480b455384fa2577853
Instruction ID: 59fb9316c058d4a3210d19f1137d96db08d4f0ea04ed4a3d1f8c0f701af89abe
Opcode Fuzzy Hash: e3217bb3d7be7ab69552e1efdbc440c64ec0c43496c00480b455384fa2577853
Instruction Fuzzy Hash: 6A0178B32096167FEA2226787CC0F37661EDF423B8B310326B522A53D2DB608C409160

Function 00401A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00401A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00401A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00401A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00401A8A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7e738d7bf30a014964f64583654810e3aebc88a76bd123e30edf9ffaf5c0dac4
Instruction ID: 4532254d26270cbc232a9f83f679bd9664f792a6aaeec51aa05d5ddb140459b3
Opcode Fuzzy Hash: 7e738d7bf30a014964f64583654810e3aebc88a76bd123e30edf9ffaf5c0dac4
Instruction Fuzzy Hash: F5112E35A01219FFDB109BA5CD85F9DBB78EB04750F2000A2E500B7290D6716E50DB94

Function 0040E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0040E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0040E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040E24D

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: bc075fd87755f031dbc718171426c1898148a7ee8cd562e466755d4b26ce1704
Instruction ID: dddfc7a340519157c2f2fc4af752f8a7e1507ccf0129d2ac1a25b1f9e57f6baa
Opcode Fuzzy Hash: bc075fd87755f031dbc718171426c1898148a7ee8cd562e466755d4b26ce1704
Instruction Fuzzy Hash: D7110872904214BBD7019BAC9C49A9F7FAC9B45314F00467AFC14F32D1D274CD1087A4

Function 003CD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,003CCFF9,00000000,00000004,00000000), ref: 003CD218
GetLastError.KERNEL32 ref: 003CD224
__dosmaperr.LIBCMT ref: 003CD22B
ResumeThread.KERNEL32(00000000), ref: 003CD249

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: c8c1a1a6c75a59ac9efed530fe6e8d25f7e14cdf7d6672d2da7e42f46e2105bc
Instruction ID: 5577dc8b1f5004276996c8858074071eca5a85816edcb085aa6b8dd254a20fa1
Opcode Fuzzy Hash: c8c1a1a6c75a59ac9efed530fe6e8d25f7e14cdf7d6672d2da7e42f46e2105bc
Instruction Fuzzy Hash: 1101C076805208BBDB225BA5DC09FAA7A6DDF81330F21063DF925DA1D0CB70CD01D7A0

Function 00439EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 003B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 003B9BB2

GetClientRect.USER32(?,?), ref: 00439F31
GetCursorPos.USER32(?), ref: 00439F3B
ScreenToClient.USER32(?,?), ref: 00439F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00439F7A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: ac8e391b735aeb2e4e0077ea8022a3e6084d358050dfa975a9b6b736e3529f2a
Instruction ID: c2b7a77f42457dd8a63328d8f6c8f99992bab7ba9062bc9fe78e4cfe317c8f95
Opcode Fuzzy Hash: ac8e391b735aeb2e4e0077ea8022a3e6084d358050dfa975a9b6b736e3529f2a
Instruction Fuzzy Hash: 83115A7290011ABBDB10EFA9C885DEE77B8FB09315F105466F911E3150D778BE81CBA9

Function 003A600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003A604C
GetStockObject.GDI32(00000011), ref: 003A6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 003A606A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 38f5cef71d57da956b73553642ccc0e483857ce6f3044715b00fb8823ef73e36
Instruction ID: 51c6c80b0cdf6e5febe6734029cf37fec6539b70444e0e1c992e77dd2ced22c6
Opcode Fuzzy Hash: 38f5cef71d57da956b73553642ccc0e483857ce6f3044715b00fb8823ef73e36
Instruction Fuzzy Hash: 5711A172105509BFEF128FA48C45EEA7B6DEF0A354F050211FA1462010C7329CA0DB90

Function 003C3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 003C3B56

Part of subcall function 003C3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 003C3AD2
Part of subcall function 003C3AA3: ___AdjustPointer.LIBCMT ref: 003C3AED

_UnwindNestedFrames.LIBCMT ref: 003C3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 003C3B7C
CallCatchBlock.LIBVCRUNTIME ref: 003C3BA4

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 999dd4153fd110d6aedeaf3f5c612939d0ab8839d9fd8798ebe4598e2e218b3d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2E01E932100149BBDF126E95CC46EEB7B7DEF58754F058018FE489A121D732ED61DBA0

Function 003D3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003A13C6,00000000,00000000,?,003D301A,003A13C6,00000000,00000000,00000000,?,003D328B,00000006,FlsSetValue), ref: 003D30A5
GetLastError.KERNEL32(?,003D301A,003A13C6,00000000,00000000,00000000,?,003D328B,00000006,FlsSetValue,00442290,FlsSetValue,00000000,00000364,?,003D2E46), ref: 003D30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,003D301A,003A13C6,00000000,00000000,00000000,?,003D328B,00000006,FlsSetValue,00442290,FlsSetValue,00000000), ref: 003D30BF

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 20f1fbd3ea391a882c3af51d8adcd7537bb00994c6f071e3572a1eb0ecdfae19
Instruction ID: 01f411c5edf1fc6d33120258ae2fb40e8203ae4ac1e921eac39c2081d20a0b43
Opcode Fuzzy Hash: 20f1fbd3ea391a882c3af51d8adcd7537bb00994c6f071e3572a1eb0ecdfae19
Instruction Fuzzy Hash: 0201D433742222ABCB224B78BC849677B98AF05B61B150631F907F3240C721DD01C7E5

Function 00407464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0040747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00407497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004074CA

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 7511237091bad3b649fc3f8ec5766ccf3280a6b642d1561fcc12ccb2ef04f6a1
Instruction ID: 9fcce6b8a82cbcafb09fc68ffe41be44b880ebd655e8577e1aa8fd4cd5ca8627
Opcode Fuzzy Hash: 7511237091bad3b649fc3f8ec5766ccf3280a6b642d1561fcc12ccb2ef04f6a1
Instruction Fuzzy Hash: 2211ADB5A05314ABE7208F14ED48B927BFCEB00B00F10857AE656E6191D7B4F904DBA6

Function 0040B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0040ACD3,?,00008000), ref: 0040B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0040ACD3,?,00008000), ref: 0040B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0040ACD3,?,00008000), ref: 0040B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0040ACD3,?,00008000), ref: 0040B126

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b7d181abbad5fe1484718a3bd5a0ccaf99a468d529697666d0d840d35aa42d46
Instruction ID: bbe622cc4a0234455ad89d87b94ca99bf68c99f38428bafcb545f8717e7640de
Opcode Fuzzy Hash: b7d181abbad5fe1484718a3bd5a0ccaf99a468d529697666d0d840d35aa42d46
Instruction Fuzzy Hash: 0A116131C0151CD7CF009FE4D9986EEBB78FF09751F1040A6D941B6281CB3455519B9D

Function 00437E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00437E33
ScreenToClient.USER32(?,?), ref: 00437E4B
ScreenToClient.USER32(?,?), ref: 00437E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00437E8A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: bdfec92c1e9014ced5992b39fdb73da818a658350c8b73384d5b36511a60cbd0
Instruction ID: 35fe851f6752d53b98df8ea8dc8c8f27e501ef1e98919b86483a024fe3356b50
Opcode Fuzzy Hash: bdfec92c1e9014ced5992b39fdb73da818a658350c8b73384d5b36511a60cbd0
Instruction Fuzzy Hash: 6C1143B9D0020AAFDB51CF98C8859EEBBF5FB08310F505066E915E2210D735AA54CF54

Function 00402DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00402DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00402DD6
GetCurrentThreadId.KERNEL32 ref: 00402DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00402DE4

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: cdbf68d905e0b09e4296a4623b8398a23fbccf5be8db35f5941fbac05e56ca21
Instruction ID: 729bc7cf0e3103a74ca24787185592e332166e6c11bb66c7faa43604361791f7
Opcode Fuzzy Hash: cdbf68d905e0b09e4296a4623b8398a23fbccf5be8db35f5941fbac05e56ca21
Instruction Fuzzy Hash: BEE06D711412247ADB201B629C4EFEB3E6CEF42BA1F001026B105F10C09AA4C841C7B5

Function 00438863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 003B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 003B9693
Part of subcall function 003B9639: SelectObject.GDI32(?,00000000), ref: 003B96A2
Part of subcall function 003B9639: BeginPath.GDI32(?), ref: 003B96B9
Part of subcall function 003B9639: SelectObject.GDI32(?,00000000), ref: 003B96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00438887
LineTo.GDI32(?,?,?), ref: 00438894
EndPath.GDI32(?), ref: 004388A4
StrokePath.GDI32(?), ref: 004388B2

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 504524023d9b21c3bed314d7abd7844da793507dbdae8c8d5a6e28c7bd6461d6
Instruction ID: d384b79650beadb41a1eecbbb9e2517c667e40607871a2cda4f0b80fbebb6b3c
Opcode Fuzzy Hash: 504524023d9b21c3bed314d7abd7844da793507dbdae8c8d5a6e28c7bd6461d6
Instruction Fuzzy Hash: 7BF03A36045658FADB166F98AC09FCA3B69AF0A310F048011FB12751E2C7795551DFAD

Function 003B98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 003B98CC
SetTextColor.GDI32(?,?), ref: 003B98D6
SetBkMode.GDI32(?,00000001), ref: 003B98E9
GetStockObject.GDI32(00000005), ref: 003B98F1

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: cc848e7dd618b088790f302d812e4c599e9be4558430f7212feb5a22bb91d9a6
Instruction ID: 8f1a07b20c81bf51c5294443626f2185c8ac240de2e0765068d1b847bd43fc04
Opcode Fuzzy Hash: cc848e7dd618b088790f302d812e4c599e9be4558430f7212feb5a22bb91d9a6
Instruction Fuzzy Hash: 51E06531244244AADF215B75AC49BE83F10AB12335F048229F7F9A40E1C37146409F10

Function 0040162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00401634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004011D9), ref: 0040163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004011D9), ref: 00401648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004011D9), ref: 0040164F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 8e5dc1b9fb355b0a6b32e193d13520b8db2ac7c83d907e34dd49adc9d80c281c
Instruction ID: 74afbdb2d2501f954c015b697208dff379518d18e082f27972def17c8b5c669c
Opcode Fuzzy Hash: 8e5dc1b9fb355b0a6b32e193d13520b8db2ac7c83d907e34dd49adc9d80c281c
Instruction Fuzzy Hash: EAE08632601211DBD7202FE09D4DB8B3B7CAF54791F144829F646E9090D7388444CB98

Function 003FD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 003FD858
GetDC.USER32(00000000), ref: 003FD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003FD882
ReleaseDC.USER32(?), ref: 003FD8A3

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e1e86c8b7dbc927ca7f7b1900b04d90fe8163e5bc655b66465c5b6a9f95d76a3
Instruction ID: ac7201854a40b227a81aa8e2dabf32406690d7f19a913192bde66726d149869c
Opcode Fuzzy Hash: e1e86c8b7dbc927ca7f7b1900b04d90fe8163e5bc655b66465c5b6a9f95d76a3
Instruction Fuzzy Hash: FAE04FB1800204DFCF42AFA0D88D66DBFB6FB08310F10A029F946F7260C7388902AF44

Function 003FD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 003FD86C
GetDC.USER32(00000000), ref: 003FD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003FD882
ReleaseDC.USER32(?), ref: 003FD8A3

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8c64da1c5e2c07fde8f6dd6b48f1f72fed6786c72c2b2f43b64887759cf1ca2e
Instruction ID: 0fff62672956525cbe1f6a9a483b0339bcb8bc99e2140c997f1d2df096bf84c7
Opcode Fuzzy Hash: 8c64da1c5e2c07fde8f6dd6b48f1f72fed6786c72c2b2f43b64887759cf1ca2e
Instruction Fuzzy Hash: 20E09A75900604DFCB51AFA0D88D66DBBB5FB08311F14A459F946F7260D73859029F54

Function 00414D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 003A7620: _wcslen.LIBCMT ref: 003A7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00414ED4

Strings

LPT, xrefs: 00414DFB
*, xrefs: 00414E10

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 8f534b6a2ebf143e22e360154f2950903507dd904061d5f9866e6abc24ce96a1
Instruction ID: 8008755a8fea177e89da29fe633560e3b0f79984610edd7c7ffa6e47157e22d5
Opcode Fuzzy Hash: 8f534b6a2ebf143e22e360154f2950903507dd904061d5f9866e6abc24ce96a1
Instruction Fuzzy Hash: ED914175A002049FCB15DF54C484EEABBF1AF85304F19809AE4099F3A2D735EE86CB55

Function 003CE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003CE30D

Strings

pow, xrefs: 003CE2E5, 003CE302

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 2d398b95641577dee8b683cdfb718cca890f8cc76a041bdec3a995a7a94cd6ef
Instruction ID: b8e640cfab03b74a3ea776f5b514a00b57a100c3081ad6a5ea2d1c4391e37fcc
Opcode Fuzzy Hash: 2d398b95641577dee8b683cdfb718cca890f8cc76a041bdec3a995a7a94cd6ef
Instruction Fuzzy Hash: E7515C67A0C20296CB177714ED02B793BA8EB40740F754D6EF095C63E9FB358C859B46

Function 00427771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(003F569E,00000000,?,0043CC08,?,00000000,00000000), ref: 004278DD

Part of subcall function 003A6B57: _wcslen.LIBCMT ref: 003A6B6A

CharUpperBuffW.USER32(003F569E,00000000,?,0043CC08,00000000,?,00000000,00000000), ref: 0042783B

Strings

<sF, xrefs: 004277C8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sF
API String ID: 3544283678-1235028854
Opcode ID: ac8148dfe466d8700dc78b5b774ea5c5ddc12823385876c9df85c5823f2004b9
Instruction ID: 285e4b3ada3f5a359213bc7fdc06634c4285d6c4430ed635cc02032efd3fb02e
Opcode Fuzzy Hash: ac8148dfe466d8700dc78b5b774ea5c5ddc12823385876c9df85c5823f2004b9
Instruction Fuzzy Hash: 73617376A142289ACF06FBA4DC91DFEB374FF15300B84412AF542BB191EF385A45CBA5

Function 003BE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 003BE1B1

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d4953d1f9a61a1f53ee76bc8e6bf4525dc5a35863419e80b36b0c816f3b75eb4
Instruction ID: 5382f00a3245a14d8b89b766090725bd213449ee83becc1b7940553d6ac04440
Opcode Fuzzy Hash: d4953d1f9a61a1f53ee76bc8e6bf4525dc5a35863419e80b36b0c816f3b75eb4
Instruction Fuzzy Hash: E251323550024ADFDB17EF28C081AFA7BA8EF16310F244465EE919F6E0D6349D46CBA0

Function 003BF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 003BF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 003BF2BB

Strings

@, xrefs: 003BF2AF

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 04d432289bb9d888112b6e31aa2f541e542817a6f42c39d4e3bc31fd48368111
Instruction ID: 735d0ba195a99f44acf5fa12b44d6bf906182b32f6dead353492afa662f1c7da
Opcode Fuzzy Hash: 04d432289bb9d888112b6e31aa2f541e542817a6f42c39d4e3bc31fd48368111
Instruction Fuzzy Hash: 185153724187449FD321AF10DC86BABBBF8FB85704F81885CF199451A6EB308529CB6A

Function 00425745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004257E0
_wcslen.LIBCMT ref: 004257EC

Strings

CALLARGARRAY, xrefs: 004257E6, 004257EB

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: c05773a18811c1c72d78cc2aaa6f741a28111dc28844d617a0169ce976163c32
Instruction ID: 136d1f8f0f65026e09035e550ec453a3b0cb2f049aa740ad2621b80b794cff46
Opcode Fuzzy Hash: c05773a18811c1c72d78cc2aaa6f741a28111dc28844d617a0169ce976163c32
Instruction Fuzzy Hash: 9641D131E001199FCB04EFA9D8819FEBBB4FF59324F50806AE505AB351E7789D81CB94

Function 0041D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0041D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0041D13A

Strings

|, xrefs: 0041D10B

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 1ac2bac1f9f9d9e6e113dfd9b05b101952c24fe26d5118d69f2ccf3e04182a6e
Instruction ID: 33d471e298e7e5c70de56703fb47403df4d4b4260bcb352673585c63d7a3c27f
Opcode Fuzzy Hash: 1ac2bac1f9f9d9e6e113dfd9b05b101952c24fe26d5118d69f2ccf3e04182a6e
Instruction Fuzzy Hash: B8311972D00219ABCF16EFA4CD85EEEBFB9FF05300F000019E815AA261DB35AA46CB54

Function 0043356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00433621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0043365C

Strings

static, xrefs: 004335BC

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8d7533190d5a8b8b367fe4000d8b386df419050cd6e96aff329efabc4412828b
Instruction ID: 046d43ade6a94edd6c23f440669409e968a69741a0ed81b20fe1c9955587d6db
Opcode Fuzzy Hash: 8d7533190d5a8b8b367fe4000d8b386df419050cd6e96aff329efabc4412828b
Instruction Fuzzy Hash: B431AF71110204AEDB20DF28DC81EFB73A9FF48724F10A61EF8A5D7290DA34AD81C768

Function 00434537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0043461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00434634

Strings

', xrefs: 0043458E

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 2c56355d6faf1a186aebf63c2e0fe85bafe70ecc7fd4b3ee711fe584cf538e75
Instruction ID: c2cc33a4025c743f58dcf4156a6a3ff2edd6347ca38761fc2e2f0804a579842d
Opcode Fuzzy Hash: 2c56355d6faf1a186aebf63c2e0fe85bafe70ecc7fd4b3ee711fe584cf538e75
Instruction Fuzzy Hash: 063138B4E01309AFDB14CFA9C981BDABBB5FF49300F10506AEA04AB391D774A941CF94

Function 004331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0043327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00433287

Strings

Combobox, xrefs: 00433249

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6081db48e899949cf282fee1c84a510bbf458af1262ea13328aacd49f66a504e
Instruction ID: 09a3af8d4f5937aa6d74142608bf35d694e5688cced983928dc80af8f018d1a2
Opcode Fuzzy Hash: 6081db48e899949cf282fee1c84a510bbf458af1262ea13328aacd49f66a504e
Instruction Fuzzy Hash: 7C1104713002087FFF21DF94DC81EBB376AEB983A5F10122AF9189B390D6399D518764

Function 00433710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 003A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 003A604C
Part of subcall function 003A600E: GetStockObject.GDI32(00000011), ref: 003A6060
Part of subcall function 003A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 003A606A

GetWindowRect.USER32(00000000,?), ref: 0043377A
GetSysColor.USER32(00000012), ref: 00433794

Strings

static, xrefs: 00433757

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 296c0e121fa4dad85758861a7c0c4bd93ac726ebc1cbc65f8b942a304dac8a4d
Instruction ID: b8c1fc9bf93d9f15e3151cbfbe7097da659b95566ba2bbda80d8ed0a081e0950
Opcode Fuzzy Hash: 296c0e121fa4dad85758861a7c0c4bd93ac726ebc1cbc65f8b942a304dac8a4d
Instruction Fuzzy Hash: 03113AB2610209AFDF01DFA8CC46EFA7BB8FB08315F015529F955E2250D739E8619B54

Function 0041CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0041CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0041CDA6

Strings

<local>, xrefs: 0041CD66

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 854a11f5e5aa14a39f00098696c882476b1bc2209b2cbe21cbf37df22f428472
Instruction ID: e61ebf4d17a1fc60abce9a02287b09acc77193588544dbaab91689ed4ff7e469
Opcode Fuzzy Hash: 854a11f5e5aa14a39f00098696c882476b1bc2209b2cbe21cbf37df22f428472
Instruction Fuzzy Hash: CC1106712816327AD7344B669CC4FE7BE6CEF127A4F004237B10993180D3789881D6F4

Function 00433429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004334BA

Strings

edit, xrefs: 0043348F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1cd15d1e39515034fe29308540fa8bf04dea98fe5b4aa0ed7897a6b229410744
Instruction ID: 8b3ff8afbc0b919ccd99b6dc16c9406816f8f4464e52abae21c3194603487580
Opcode Fuzzy Hash: 1cd15d1e39515034fe29308540fa8bf04dea98fe5b4aa0ed7897a6b229410744
Instruction Fuzzy Hash: 5A11B271100104ABEB114F64DC80AAB3769EF29379F506325F960932E0C739DC519B58

Function 00406C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00406CB6
_wcslen.LIBCMT ref: 00406CC2

Strings

STOP, xrefs: 00406CBC, 00406CC1

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f1040c0098115450bf9e64613cd99f069ba355e5783fad657bfa19e7b69140bb
Instruction ID: cb9256d87afc8cc7585255fde522b38d5c4ae075ae72734c59630e9e87575eba
Opcode Fuzzy Hash: f1040c0098115450bf9e64613cd99f069ba355e5783fad657bfa19e7b69140bb
Instruction Fuzzy Hash: 1E0104326045268BDB219FBDDC80ABF33A4EE61710702053AE853B62D0EB39D820C654

Function 00401CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 00403CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00403CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00401D4C

Strings

ListBox, xrefs: 00401D16
ComboBox, xrefs: 00401CEB

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8ac8f529e4c897b62041871d5e5512b5600a6ba876134d3ff922e15b9c799579
Instruction ID: 98398aa65d4b3bad86688458170fbfbdc972b06a5d65b52e7b9809bb3e5c46cf
Opcode Fuzzy Hash: 8ac8f529e4c897b62041871d5e5512b5600a6ba876134d3ff922e15b9c799579
Instruction Fuzzy Hash: 2801D871641214ABCB05EFA4CC51DFF7768EF47350B14052BF8227B3D1EA3869088765

Function 00401BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 00403CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00403CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00401C46

Strings

ListBox, xrefs: 00401C10
ComboBox, xrefs: 00401BE5

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6ff611faff1501747459017001b4dc206479ca549d5aae4bd19a34ec3677811e
Instruction ID: bb7bc7f66079ac511210f4a61b9ee83a6ae2926439270bb6b1cf6e726ca2ea3a
Opcode Fuzzy Hash: 6ff611faff1501747459017001b4dc206479ca549d5aae4bd19a34ec3677811e
Instruction Fuzzy Hash: 1E01A77568510467DB19FB90C952AFF77ACDB12340F14002BB406772D1EA38DE48C6BA

Function 00401C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 00403CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00403CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00401CC8

Strings

ListBox, xrefs: 00401C94
ComboBox, xrefs: 00401C69

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 00869a72a7be4600a38f82a8414cf5617ec85a3a8b1e7e190f09a20f421a2497
Instruction ID: 04116ad0583e65abb4925b97b4a4b9b60accbdbc9bb3944d3475c9d8ead0c0fb
Opcode Fuzzy Hash: 00869a72a7be4600a38f82a8414cf5617ec85a3a8b1e7e190f09a20f421a2497
Instruction Fuzzy Hash: 8401DB7168411467DB05EB90CA11BFF77ACDB12340F140027B801772D1EA38DF09D67A

Function 003BA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003BA529

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Strings

,%G, xrefs: 003BA509
3y?, xrefs: 003BA545, 003BA54D, 003BA552

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%G$3y?
API String ID: 2551934079-1764036712
Opcode ID: 5b19dfe3c1727cf972684034ad836be8bc4451ca111c4605fe8e42d3df87b49a
Instruction ID: 1c4686b68312c7054f214f6c06bbac79dbe701e20495efa2f61fe50d3ac098aa
Opcode Fuzzy Hash: 5b19dfe3c1727cf972684034ad836be8bc4451ca111c4605fe8e42d3df87b49a
Instruction Fuzzy Hash: B0014732600E2097C627F7689D07FED3398DB06714F40406AF6066F6C2DE50AE01869B

Function 00401D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A9CB3: _wcslen.LIBCMT ref: 003A9CBD

Part of subcall function 00403CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00403CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00401DD3

Strings

ListBox, xrefs: 00401DA0
ComboBox, xrefs: 00401D75

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bffb081ad298fae199463855443a1953a78d6b306826bd5347a80b6cd24135f9
Instruction ID: 62b1ccce6bb6eebe72f399cc2fd0b2fbedafe58c4c46354913a7033b98618cb9
Opcode Fuzzy Hash: bffb081ad298fae199463855443a1953a78d6b306826bd5347a80b6cd24135f9
Instruction Fuzzy Hash: 6BF0F471A4061466DB04EBA4CC52BFF776CEF02354F04092BB822B72D1EA7869088269

Function 00438172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00473018,0047305C), ref: 004381BF
CloseHandle.KERNEL32 ref: 004381D1

Strings

\0G, xrefs: 0043818A

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0G
API String ID: 3712363035-2904157190
Opcode ID: b8e012f66b75106a30f07a27ab7c4c1cfb1190a8f1ea9b963a76750eb336d5ee
Instruction ID: 55861d195a09bf41a1a58ea3dfd95185577110151ba72b993d7d3d61f81b2ea6
Opcode Fuzzy Hash: b8e012f66b75106a30f07a27ab7c4c1cfb1190a8f1ea9b963a76750eb336d5ee
Instruction Fuzzy Hash: 0EF05EB2640340BAE2206F61AC45FB73A5CDB05752F004435BB0CE91A2D6798E50A3FD

Function 0042747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00427493
_wcslen.LIBCMT ref: 004274B9

Strings

3, 3, 16, 1, xrefs: 00427483

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: bd02b1f2de5aec56112ffa106ac0aab5381c03106126916768765b1d7c2f2ef0
Instruction ID: d09111f991fb26f835a492940e437655e66a09a36ad6877656582f274de4b8bf
Opcode Fuzzy Hash: bd02b1f2de5aec56112ffa106ac0aab5381c03106126916768765b1d7c2f2ef0
Instruction Fuzzy Hash: EAE02B02704230109232327ABCC1FBF5689CFC5790750182FF981C6366EBA88D9193A9

Function 00400B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00400B23

Strings

Error allocating memory., xrefs: 00400B1C
AutoIt, xrefs: 00400B17

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: fb2d03184bd02b59e8acdfdd6d9dd1dc674c0c74198049f50d9cc7984cccfd01
Instruction ID: 364be72f2c54d885fc0cd6c4d26480f5613275f054ab3bb6524796d0e63bfd3c
Opcode Fuzzy Hash: fb2d03184bd02b59e8acdfdd6d9dd1dc674c0c74198049f50d9cc7984cccfd01
Instruction Fuzzy Hash: 2FE048312443182AD21536947C43FD97A848F09B55F20542BFB58A95C38BE6655047ED

Function 003C0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003BF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,003C0D71,?,?,?,003A100A), ref: 003BF7CE

IsDebuggerPresent.KERNEL32(?,?,?,003A100A), ref: 003C0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,003A100A), ref: 003C0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003C0D7F

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 880b30d3ddef542dae15e35ad778850dc23ea037d4c9fb0e8c9d3539660d8e4d
Instruction ID: 5577e9b6c7920883af7a393bc0dde035ad16162ec1847a3c35e3ac002d9fc8b5
Opcode Fuzzy Hash: 880b30d3ddef542dae15e35ad778850dc23ea037d4c9fb0e8c9d3539660d8e4d
Instruction Fuzzy Hash: 4BE092746003518FD3359FBCD8497467BE0AF04744F00897EE887CA661DBB4E8488BD1

Function 003BE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003BE3D5

Strings

0%G, xrefs: 003BE3B5
8%G, xrefs: 003BE3CA

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%G$8%G
API String ID: 1385522511-2380194405
Opcode ID: 5e8117eff3dafa13dd7c8ce1e55e1bc4e70c82b6332b16fa9c095124939eabdc
Instruction ID: ad631a46c8261a0c57a56e1dbce901f1390a17f56e3cdeb0ef822d7cb12d6b2f
Opcode Fuzzy Hash: 5e8117eff3dafa13dd7c8ce1e55e1bc4e70c82b6332b16fa9c095124939eabdc
Instruction Fuzzy Hash: 17E02639400910EBC60A972CBA54ECA3395EB0432CB909179E20E8B9D39BB46C81874C

Function 00413017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0041302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00413044

Strings

aut, xrefs: 00413038

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 23094e09c3614b6a8b3eeb0c61dcfd5379b2158d4b23a049c294201bc0c71fbb
Instruction ID: 66f3e017bdfde65b3fb08ebe7c3ee0025c3e340e12c806582f83141b0a9c3977
Opcode Fuzzy Hash: 23094e09c3614b6a8b3eeb0c61dcfd5379b2158d4b23a049c294201bc0c71fbb
Instruction Fuzzy Hash: 02D05E7290032867DB20A7A4AC4EFCB3A6CDB05750F1002A2BA55E2091EAB49984CBD4

Function 003FD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003FD220

Strings

%.3d, xrefs: 003FD22B
X64, xrefs: 003FD2A8

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: e8f748c314550ed439d41364df8d880305fad9cff11e90d9771bf4c86c2f9b32
Instruction ID: 3abeb2ebece4af8aad1b4a8c3f6eab82d04fc3acbb1f34ec0835f31635aba161
Opcode Fuzzy Hash: e8f748c314550ed439d41364df8d880305fad9cff11e90d9771bf4c86c2f9b32
Instruction Fuzzy Hash: C0D01261C0810CF9CB5297D0CC4D9FAB37DBB08301F608862FA06A1841E734C548ABA2

Function 00432356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043236C
PostMessageW.USER32(00000000), ref: 00432373

Part of subcall function 0040E97B: Sleep.KERNEL32 ref: 0040E9F3

Strings

Shell_TrayWnd, xrefs: 00432365

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 010b5060a93e49a36dbc5c5274fa618d8eec4572299fa90aceb99b6e07e863f9
Instruction ID: dff22e2bd2bb97924665ebcd77eec386de104595770d66ecd780051974c2380c
Opcode Fuzzy Hash: 010b5060a93e49a36dbc5c5274fa618d8eec4572299fa90aceb99b6e07e863f9
Instruction Fuzzy Hash: 16D0C972381310BAE664A7719C4FFC676149B05B15F1159267645BA1D0D9B4A8018B5C

Function 00432322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0043233F

Part of subcall function 0040E97B: Sleep.KERNEL32 ref: 0040E9F3

Strings

Shell_TrayWnd, xrefs: 00432325

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1688d94f3f658071fac519de32ace1ff57887283d97c43892c7d285691e568ba
Instruction ID: 4b682462fc407c94382be606393291d211bae07500eb30de698468df406af829
Opcode Fuzzy Hash: 1688d94f3f658071fac519de32ace1ff57887283d97c43892c7d285691e568ba
Instruction Fuzzy Hash: 59D0C976394310B6E664A7719C4FFC67A149B00B15F1159267645BA1D0D9B4A8018B58

Function 003DBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 003DBE93
GetLastError.KERNEL32 ref: 003DBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003DBEFC

Memory Dump Source

Source File: 00000000.00000002.1749421193.00000000003A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003A0000, based on PE: true

Associated: 00000000.00000002.1749379353.00000000003A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749555356.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749658829.000000000046C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1749697965.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3a0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e6154be69dfaa60c376b927b5b5e6e39c2c2d5c4aa517e1016faba4eaa178873
Instruction ID: 4ad7582ba39ef697f3112524654215a085acec150aeae398aa03cdac326c7aac
Opcode Fuzzy Hash: e6154be69dfaa60c376b927b5b5e6e39c2c2d5c4aa517e1016faba4eaa178873
Instruction Fuzzy Hash: 4741B736604246EFCF238F65EC54AAAFBA99F41310F17416AF9599B3A1DB308D01DB50

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000D.00000003.1893197709.000035887BF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1893197709.000035887BF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1893197709.000035887BF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1893197709.000035887BF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 5https://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1893197709.000035887BF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 5https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1905126895.000001A8613F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1876818123.000001A8613F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1909229976.000001A862871000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903628603.000001A86286B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1768430052.000001A85F5B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886527138.000001A85F54D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886527138.000001A85F5B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1768430052.000001A85F5B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886527138.000001A85F54D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886527138.000001A85F5B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1932893350.000001A857AF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930985865.000001A8588EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913406311.000001A8588EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1909229976.000001A862871000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903628603.000001A86286B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1886527138.000001A85F54D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878715357.000001A85F54D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768430052.000001A85F54E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1886527138.000001A85F54D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878715357.000001A85F54D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1768430052.000001A85F54E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1768430052.000001A85F5B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886527138.000001A85F54D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886527138.000001A85F5B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1768430052.000001A85F5B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886527138.000001A85F54D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1886527138.000001A85F5B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1908355161.000001A85AACE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3556738581.000002190E80A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3556742161.000002359CC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1908355161.000001A85AACE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3556738581.000002190E80A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3556742161.000002359CC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000D.00000003.1908355161.000001A85AACE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3556738581.000002190E80A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3556742161.000002359CC03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1932893350.000001A857AF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1930985865.000001A8588EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1913406311.000001A8588EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1893197709.000035887BF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000D.00000003.1909229976.000001A862871000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1893197709.000035887BF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1903628603.000001A86286B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1915627889.000001A85FCB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1878238792.000001A85FCB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1893197709.000035887BF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000D.00000003.1911612418.000001A858B8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932893350.000001A857AEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000D.00000003.1932893350.000001A857A7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50052 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50051 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50053 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfd86c6c-6021-4862-88af-cc316151702a.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dfd86c6c-6021-4862-88af-cc316151702a.json.tmp

C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.ico

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2MYL4839XKGVXI1RNYNT.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZWPUUJFJFQIHM1G01R0T.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\store.json.mozlz4 (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre